Topic: HELP: Infected scripts .php with evil malefic viruses

[buzdugan]

Beeing a new member, and this my 1st post, I would like to say a friendly "HI!" to everyone!

I'm in charge of  administrating a simple PHP website. No fancy e-commerce scripts, no fancy authentification methods, just your average pic and script.

In the last few days everytime I try to acces the website my Antivirus (Kaspersky IS 2010) returns a disturbing message :

Virus/Trojan found : Exploit.JS.Agent.avl , and blocks me from viewing the website.

After downloading some random files, of random extensions .jpg, .html, .php etc. I've discovered that this evil-keep-me-busy-from-my-daily-routines virus, infects only .HTML files and .php Files.

Since the antivirus can't disinfect them, and the website wasn't made by me, and I'm not familiar with the links and everything, I can't just delete the infected file and start writting the code from scratch.

Can you guys help me ? with a good method of removing viruses from .php files ?


From what my brain has told me, it should be an evil script injected in the .php file (probably a few lines of evil code).

My solution : Disable antivirus, open .PHP file, look for nasty code, delete it and copy/overwrite it back on the website (via FTP).

If you could help me, it would be really nice...anything, advices, tips, even better, solutions!
Thank you in advance!

,Adrian

[fr34k]

The site that is infected, is it a publicly available script?  Can you provide a name of the PHP application?

I ask because if it got in through some exploit in your scripts, then cleaning it is kind of fruitless.  It'll likely be back, very soon.  If you can upgrade or patch the PHP application, it might prevent re-infection (and in the upgrade/patch process, might even overwrite the infected files.)

It's very important to remove the origin of the infection, as quickly as possible.

[buzdugan]

Nooo...it's something way simpler....jsut pics, links and a simple SQL database (that it's not working...yet).

I've upped some of the infected files. It's not a virus, just an evil script that gets executed after beeing parsed by the php server, so opening it with something harmless as notepad is no problem. Im 100% convinced that the evill code will spark in your eyes.


Until now everything is as I expected.

Step 1 : Download all .html, .php files, and scan with AV. Probably all will be infected.

Step 2 : open each file and remove the nasty piece of code . Would be swell if I could find a simple program that removes text from one file comparing it to another files.

File 1 - infected

File 2 - text to delete

Final file = File 1 - File 2; Simple in theorem, will be hard to produse.

Step 3 : replace all files by overwriting using the ftp client

[attachment deleted by admin]

[darkfreaks]

why not just remove the nasty javascript code at the bottom of each php file?

[nafetski]

Alright yeah - looking at that it definitely looks like the javascript at the bottom

What we want to find out is how that javascript is being appended at the bottom of every file.

There are SOOO many ways this could be happening.  My first guess is that someone got credentials into your web server, and has a process running that keeps appending the malicious code to all your JS.

Where are you hosting this?

[darkfreaks]

1.) remove the JavaScript code
2.) change your FTP login information

should solve your problem more than likely 

[LeadingWebDev]

be careful.
its probably <IFRAME> 1x1 pixel.
location: between <body> and </body> at most at the bottom.

I will say its not just change FTP log info, the server may hacked from even another site hosted at the same server, and then with shell they just uploaded php script that looping throught all server files, and inserts IFRAME in every page.

if you will get same infection again, you will probably need to contact server administration ASAP.

[darkfreaks]

The whole application may need to be recoded and redone with security upgrades to prevent such attacks from happening again, make sure certain file types are disallowed in the future and certain code like javascript/PHP/C++/C/VB

it looks like it was a JavaScript based attack that fucked up most of the HTML and embedded itself within the PHP files inside of html.



also changing login information helps but i would check with your host to make sure they haven't had anyone hack into there servers lately and it was an isolated attack on your site.

[buzdugan]

It's hosted by unitehosting.com .