I need help to replace a stupid virus code in all files on server with blank
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I need help to replace a stupid virus code in all files on server with blank
Hello everyone ,
I am contacting you because I have a problem from 2 years.
I have time to time an injection on server who infect almost all of files on my linux server, i don't know how to stopit it, i tryed many times with last versions of antivirus, malware, etc I get tired of it and i wast too much time
So I decided to make a script and put it as cron daily to search in all files and folder in linux and replace the code with blank , this way it can get infected 3 times in a day and it will be auto clean
I don't have code now but it's a quite big encripted code , i guess 2000 characters and have all type of charactes like $ / etc.
example "/$p2rerkfjkaj35"FASFAsfa//fsafaf/fsa"
So I need to replace "/$p2rerkfjkaj35"FASFAsfa//fsafaf/fsa" wich "" ( just blank ) and consider that code it's quite big and have characters like "/" in it
This virus that infects human brains and makes us more stupid, is very dangerous, so you need to have a strong antivirus on your computer which is able to detect those virus, more scanning your computer and having sunglasses to protect your eyes.
thank you.
Nduwimana Gabriel.
You do not "fix" Linux computers with antivirus. Your Linux box either is clean or is infected. Windows-like thinking, oh, I got most of it out does not work and is not acceptable in Linux.
Take the infected machine offline ASAP, only complete re-install will put you back in business. Make sure you harden your server before putting it back online.
The whole mess smacks of incorrect file and directory permissions.
Instead of your "example" how about some actual content of the infection? Say just 100 characters or so.
Do you see any "eval(base64_decode" stuff (or similar) in your php files?
Where in the file are these infections?
Are you certain credentials aren't exploited? (ftp passwords are usually suspect).
Files should be 644 and
directories should be 755.
Few exceptions would be cgi-bin stuff.
Clamscan can detect and identify infected web-content/files.
rkhunter can check for rootkits.
Merely running a cron job to replace infections is locking the barn door after the horses have escaped.
Writing blanks to those files will NOT end the problem.
It is not a virus, you cannot take a pill and feel better tomorrow!
Your server has been compromised.
There will be multiple other entry points that will not be found by such a script
which will allow the intruder to simply rewrite all the php files... again... as you have already seen.
READ THIS AND UNDERSTAND IT:
Quote:
1. Take that system offline immediately - no excuses - do not return
it to service! Every minute that it remains online it continues to deliver SPAM and malware to others!
2. YOU* CANNOT clean up that server with a script or anti-virus program! Forget about it!
The ONLY way to stop this is to reinstall from the ground up from known clean sources.
If you do not have known clean sources then shut it down and start over, keeping frequent known clean
backups this time!
*(Someone with knowledge, time and access might clean it up, but it would not involve copy/paste scripts
or antivirus and would always take much longer and be less reliable than a clean reinstall)
Quote:
I am contacting you because I have a problem from 2 years.
If this has indeed been ongoing for two years, that is your server has been delivering giga-bytes of
SPAM to the internet for two years, you should consider switching to to some other line of business!
i tryed many times with last versions of antivirus, malware, etc I get tired of it and i wast too much time (..) So I need to replace
No, replacing text isn't going to solve your problem as it will only give you a false sense of control.
Quote:
Originally Posted by pvdoffice
I have time to time an injection on server who infect almost all of files on my linux server, i don't know how to stopit it,
The fact that you have had these problems for the past two years is telling. If you can't control a situation there's always other resources to get help from ranging from asking at a local LUG to hiring a capable sysadmin to correct things for you and in the right way. And two years also says you most likely haven't made any drastic decisions either to combat this problem. OK. Enough about that.
Indeed you need to reinstall a current version of the OS you use and you really need to properly harden it before you expose it but you particularly need to pay attention to what runs in your web stack because re-installing the OS and then simply restoring any CMS, board or photo gallery software without careful scrutiny will result in failure.
If unsure start by reading up on things and post a more detailed account of 0) your situation like if it's a shared hosting account or a private server, if you have a single user or if it's a multi-tenant setup, 1) what software (names and versions) you run, same for plugins, themes, addons, extensions and other such modifications and 2) a detailed account of the measures you took to combat this problem.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.