So with the help of this article I have created my own code: Linux Academy
The problem was that this code worked when the exploit code has began and ended with the same value. But our newest infection was a little bit tricky. Every JS files has a different malware comment value in it. So I cant use the code from Linux Academy anymore.
Sucuri have wroted about this infection: Link
The hackers injected encrypted code at the end of all legitimate .js files. Which seems like this (image from Sucuri):
1. Search if there is a JS infection on your server, the -l switch will list only the file names
find . -name "*.js" | xargs grep -E "\/\*[a-z0-9]{32}\*\/" -l | sort
2. Add a new line character before the pattern, this is very important, sed can only delete lines from files upwards.
find . -name "*.js" -exec sed -i "s/\/\*[a-z0-9]\{32\}\*\//\n&/g" '{}' \;
3. Finally delete the malware code from all infected JS files:
find . -name "*.js" -exec sed -i "/[a-z0-9]\{32\}/,/[a-z0-9]\{32\}/d" '{}' \;
Before you try this please test it on one file, i have a CentOS server installed.
I have found three backdoors installed with the help of access_logs and blocked the IPs in our firewall.
/wp-content/plugins/yith-woocommerce-ajax-search/widgets/class44a.php
/wp-content/languages/admin-network-hu_HU182a1.php
/wp-cont.php
I hope this helps someone.
Regards, Peter
Žádné komentáře:
Okomentovat