JavaScript Injection Virus Removal How To

A HootThis is the part II of how to combat the pesky JS injections that are appearing on websites all over the Internet like mushrooms after rain.

I am pretty confident that the JS injections initially get into your site through a FTP connection from a trojan infected PC. The details of your server login are sent to the hackers which will use it to access the server later, even after you have removed the injection. The files will keep reappearing until you do something about it.

In order to get rid of them once for good first remove the virus from your PC, using AVG for best results currently.

Then proceed to change your FTP password.

Next, remove the malicious JS code either manually, by restoring backup or using the code remover script.

You may also consider changing ftp server (mine was pure-ftpd and I changed it to proftpd). This is as I am not sure whether the security problem with FTP server or the stolen password allowed the hackers back in.

Finding and banning hacker IPs

To proceed a step further we want to ban access to all IPs hackers were using to upload files to your server.

Here is the example of using  following commands to find FTP uploading activity (confirmed to work with pure-ftpd)

cat /var/log/messages | grep your_ftp_username | grep -v your_ipaddresses | grep uploaded

This will list connections to your site that were uploading files. Do you see any unknown IP's there? These are hacker's.

Let's extract them into a ban_list file:

cat /var/log/messages | grep your_ftp_username | grep -v your_ipaddresses | grep uploaded | awk ‘{print $6}’ | cut -d “@” -f2 | cut -d “)” -f1 | sort -u >>ban_list

Assuming you are using apf, you can now edit /etc/apf/deny_hosts.rules and add all these IPs. Be careful not to enter your own IP as you will not be able to access your site.

This effectively shutdown the injections on my server but I am keeping an eye see what new happens.


More like this:


Posted in: WordPress
TAGS:, , , , , , , , , , , , , , ,
Both comments and trackbacks are currently closed.

6 Comments

  1. Oct 6th, 2011 2:45 PM

    Hello, I am having the same problem with my page. Can someone help me get this script? Already have a lot of people complaining that they can enter the site and I'm losing customers ... what can I do?

    The page of script is:
    http://cursoyes.com.br/2010/unidades.asp?estado=RJ&unidade=107

  2. Mar 14th, 2011 7:22 PM

    scan ALL directories for /_notes/ which contain xml files

  3. Sep 15th, 2010 6:07 AM

    Thanks, that is a very useful removal guide. I have been working with online security for long time now, and still don't understand how some people can surf the web, download stuff and not even get anti-virus protection. Removing a virus once it's IN your system is a real pain...

  4. Apr 17th, 2010 4:11 PM

    Hi Vladimir,

    When i click the code remover script link
    http://possible.in/products-security-updates.php,

    i'm getting a Threat Blocked message from AVG.

    2 days ago my blog was hacked and it started redirection to someother sites.
    But i had the updated wp version.
    After googling, the only solution i was able to find was to re-install wp.
    I have downloaded and replaced wp.

    But i lost 4images, forums, another wp blog installed inside the root of wp blog with buddypress :(

  5. Apr 16th, 2010 11:32 AM

    hi there, I got the same virus, but not on a wordpress blog, but on a regular website. i would like to use the command to check for ip-addresses and after that block them, but don't know how to run the command on my website. couldy ou give me some tips? thx!

  6. Apr 9th, 2010 12:12 AM

    I confirm your assumptions Vladimir. Here ispart of the my FTP log from yesterday:
    Tue Apr 06 11:58:37 2010 1 62.93.166.242 24738 /editor_template.js b _ i r mag ftp 1 * c
    Tue Apr 06 11:58:40 2010 0 69.41.173.111 2054 /about.js b _ o r mag ftp 1 * c
    Tue Apr 06 11:59:13 2010 0 88.208.244.116 3891 /about.js b _ i r mag ftp 1 * c
    Tue Apr 06 11:59:18 2010 0 65.82.182.195 1029 /anchor.js b _ o r mag ftp 1 * c
    Tue Apr 06 11:59:23 2010 0 74.3.223.163 2997 /anchor.js b _ i r mag ftp 1 * c
    Tue Apr 06 11:59:30 2010 0 217.13.215.186 14515 /charmap.js b _ o r mag ftp 1 * c
    Tue Apr 06 11:59:35 2010 1 62.75.218.192 16483 /charmap.js b _ i r mag ftp 1 * c
    Tue Apr 06 11:59:39 2010 0 75.127.102.249 11017 /color_picker.js b _ o r mag ftp 1 * c
    Tue Apr 06 11:59:44 2010 0 78.129.157.110 12985 /color_picker.js b _ i r mag ftp 1 * c
    Tue Apr 06 11:59:47 2010 0 216.245.221.82 6254 /image.js b _ o r mag ftp 1 * c