čtvrtek 11. února 2016

Cleaning JavaScript Malware On Your Linux Server (Removing Javascript Between Two Points)

So, I think everyone has faced this issue who has an own VPS server. Our problem was that sometimes every or some of JS files got infected. It can be a mass to delete the malware code from the files manually.

So with the help of this article I have created my own code: Linux Academy

The problem was that this code worked when the exploit code has began and ended with the same value. But our newest infection was a little bit tricky. Every JS files has a different malware comment value in it. So I cant use the code from Linux Academy anymore.

Sucuri have wroted about this infection: Link

The hackers injected encrypted code at the end of all legitimate .js files. Which seems like this (image from Sucuri):
I have struggled with this infection for a time. And I want to share my solution, which can remove this from every JS file within less then 5 seconds. Every command is called recursivily, so if you run it on public_html/ or www/ folder it will include wp-admin, wp-content, everything. The pattern in our case is a regular expression [a-z0-9]{32} means lowercase letters and numbers and exactly 32 times.

1. Search if there is a JS infection on your server, the -l switch will list only the file names
 find . -name "*.js" | xargs grep -E "\/\*[a-z0-9]{32}\*\/" -l | sort  

2. Add a new line character before the pattern, this is very important, sed can only delete lines from files upwards.
 find . -name "*.js" -exec sed -i "s/\/\*[a-z0-9]\{32\}\*\//\n&/g" '{}' \;  

3. Finally delete the malware code from all infected JS files:
 find . -name "*.js" -exec sed -i "/[a-z0-9]\{32\}/,/[a-z0-9]\{32\}/d" '{}' \;  

Before you try this please test it on one file, i have a CentOS server installed.
I have found three backdoors installed with the help of access_logs and blocked the IPs in our firewall.

I hope this helps someone.

Regards, Peter

Žádné komentáře: