buzdugan Posted March 17, 2010 Share Posted March 17, 2010 Beeing a new member, and this my 1st post, I would like to say a friendly "HI!" to everyone! I'm in charge of administrating a simple PHP website. No fancy e-commerce scripts, no fancy authentification methods, just your average pic and script. In the last few days everytime I try to acces the website my Antivirus (Kaspersky IS 2010) returns a disturbing message : Virus/Trojan found : Exploit.JS.Agent.avl , and blocks me from viewing the website. After downloading some random files, of random extensions .jpg, .html, .php etc. I've discovered that this evil-keep-me-busy-from-my-daily-routines virus, infects only .HTML files and .php Files. Since the antivirus can't disinfect them, and the website wasn't made by me, and I'm not familiar with the links and everything, I can't just delete the infected file and start writting the code from scratch. Can you guys help me ? with a good method of removing viruses from .php files ? From what my brain has told me, it should be an evil script injected in the .php file (probably a few lines of evil code). My solution : Disable antivirus, open .PHP file, look for nasty code, delete it and copy/overwrite it back on the website (via FTP). If you could help me, it would be really nice...anything, advices, tips, even better, solutions! Thank you in advance! ,Adrian Quote Link to comment https://forums.phpfreaks.com/topic/195605-help-infected-scripts-php-with-evil-malefic-viruses/ Share on other sites More sharing options...
fr34k Posted March 17, 2010 Share Posted March 17, 2010 The site that is infected, is it a publicly available script? Can you provide a name of the PHP application? I ask because if it got in through some exploit in your scripts, then cleaning it is kind of fruitless. It'll likely be back, very soon. If you can upgrade or patch the PHP application, it might prevent re-infection (and in the upgrade/patch process, might even overwrite the infected files.) It's very important to remove the origin of the infection, as quickly as possible. Quote Link to comment https://forums.phpfreaks.com/topic/195605-help-infected-scripts-php-with-evil-malefic-viruses/#findComment-1027812 Share on other sites More sharing options...
buzdugan Posted March 17, 2010 Author Share Posted March 17, 2010 Nooo...it's something way simpler....jsut pics, links and a simple SQL database (that it's not working...yet). I've upped some of the infected files. It's not a virus, just an evil script that gets executed after beeing parsed by the php server, so opening it with something harmless as notepad is no problem. Im 100% convinced that the evill code will spark in your eyes. Until now everything is as I expected. Step 1 : Download all .html, .php files, and scan with AV. Probably all will be infected. Step 2 : open each file and remove the nasty piece of code . Would be swell if I could find a simple program that removes text from one file comparing it to another files. File 1 - infected File 2 - text to delete Final file = File 1 - File 2; Simple in theorem, will be hard to produse. Step 3 : replace all files by overwriting using the ftp client [attachment deleted by admin] Quote Link to comment https://forums.phpfreaks.com/topic/195605-help-infected-scripts-php-with-evil-malefic-viruses/#findComment-1027829 Share on other sites More sharing options...
darkfreaks Posted March 17, 2010 Share Posted March 17, 2010 why not just remove the nasty javascript code at the bottom of each php file? Quote Link to comment https://forums.phpfreaks.com/topic/195605-help-infected-scripts-php-with-evil-malefic-viruses/#findComment-1027836 Share on other sites More sharing options...
nafetski Posted March 17, 2010 Share Posted March 17, 2010 Alright yeah - looking at that it definitely looks like the javascript at the bottom What we want to find out is how that javascript is being appended at the bottom of every file. There are SOOO many ways this could be happening. My first guess is that someone got credentials into your web server, and has a process running that keeps appending the malicious code to all your JS. Where are you hosting this? Quote Link to comment https://forums.phpfreaks.com/topic/195605-help-infected-scripts-php-with-evil-malefic-viruses/#findComment-1027841 Share on other sites More sharing options...
darkfreaks Posted March 18, 2010 Share Posted March 18, 2010 1.) remove the JavaScript code 2.) change your FTP login information should solve your problem more than likely Quote Link to comment https://forums.phpfreaks.com/topic/195605-help-infected-scripts-php-with-evil-malefic-viruses/#findComment-1027928 Share on other sites More sharing options...
LeadingWebDev Posted March 18, 2010 Share Posted March 18, 2010 be careful. its probably <IFRAME> 1x1 pixel. location: between <body> and </body> at most at the bottom. I will say its not just change FTP log info, the server may hacked from even another site hosted at the same server, and then with shell they just uploaded php script that looping throught all server files, and inserts IFRAME in every page. if you will get same infection again, you will probably need to contact server administration ASAP. Quote Link to comment https://forums.phpfreaks.com/topic/195605-help-infected-scripts-php-with-evil-malefic-viruses/#findComment-1027937 Share on other sites More sharing options...
darkfreaks Posted March 18, 2010 Share Posted March 18, 2010 The whole application may need to be recoded and redone with security upgrades to prevent such attacks from happening again, make sure certain file types are disallowed in the future and certain code like javascript/PHP/C++/C/VB it looks like it was a JavaScript based attack that fucked up most of the HTML and embedded itself within the PHP files inside of html. also changing login information helps but i would check with your host to make sure they haven't had anyone hack into there servers lately and it was an isolated attack on your site. Quote Link to comment https://forums.phpfreaks.com/topic/195605-help-infected-scripts-php-with-evil-malefic-viruses/#findComment-1027958 Share on other sites More sharing options...
buzdugan Posted March 18, 2010 Author Share Posted March 18, 2010 It's hosted by unitehosting.com . Quote Link to comment https://forums.phpfreaks.com/topic/195605-help-infected-scripts-php-with-evil-malefic-viruses/#findComment-1027970 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.