This is Part II of our “You’ve been hacked” blog I published last week. In this post, we will focus on how you can clean your files from the airschk web bug injections.
If you are one of the many blog administrators who run WordPress or other .php based CMS, this may interest you. When was the last time you checked your server database, files or logs for suspicious behavior or malicious code injections? If you haven’t done so lately, do yourself a favor and check it now!
I have received some very valuable comments on last week’s Part I post, mainly on other precautions that could be taken to protect yourself and your server(s) from similar attacks. One thing I may have missed in Part I is your desktop security. Attacks similar to airschk could be carried out through a hacker installed key logger or password spyware on your machine. This installed Spyware would spy on your keyboard strokes and/or other password files you may have stored locally on your machine, including browser saved passwords and saved form information. Your desktop security is therefore vital to your server security.
Another form of popular clear-text password transmission is email client applications that use regular POP3/SMTP to login to remote email servers. Consider using secure SSL connections for your POP and SMPT services running on the server and turn off any unused ports on your system.
Obviously, we can take a hundred more pages talking about other security measures you can take to protect yourself, your information, your server and your business against such attacks, but I would rather focus on the issue on hand right now; cleaning-up this specific web bug.
I put together a quick bash script code for cleaning up web pages injected with airschk. The code may not be perfect, but it will sure do the job. Please note that the code I provide here was written on GNU Linux, and may slightly differ from other Unix/Linux flavors that you may be using for your site(s). Little tweaks may be necessary.
Cleaning up web pages injected with airschk
We ran and tested the code successfully on Hesham’s servers and were able to clean over 200 files in the system.
#!/bin/sh
##########################################################################
# clean_airschk
#
# Created By: Mohamed Osam, 2011-05-01, mohamedabou99@yahoo.com
#
# THE CODE IS PROVIDED HERE FOR ILLUSTRATION PURPOSES ONLY AND IS NOT
# AND SHALL NOT BY ANY MEANS BE USED IN PRODUCTION SYSTEMS WITHOUT
# THE PROPER AND NECESSARY MODIFICATIONS. USE ON YOUR OWN RISK!
#
# FamousBloggers.net, its partners and/or the author of this code shall not
# in any event be liable for any direct, indirect, punitive, special,
# incidental, or consequential damages, including, without limitation, lost
# revenues, or lost profits, arising out of or in any way connected with the
# use or misuse of the information or lack of information provided or with
# the delay or inability to use this source code, or from any information
# provided in cleaning up the web bug, or otherwise arising out of the
# use of this source code, whether based on contract, tort, strict
# liability or otherwise. The author shall not be liable for any loss or
# injury caused in whole, or in part, by the actions, omissions, or
# contingencies beyond the author's control, including in procuring,
# compiling, or delivering the information, or arising out of any errors,
# omissions, or inaccuracies in the information regardless of how caused,
# or arising out of any Internet user's decision, or action taken or not
# taken in reliance upon information furnished.
#
##########################################################################
#First, created a list of the infected files for future reference
if [ $# -ne 3 -a $# -ne 4 ];then
echo; echo "Wrong use of $0"
echo "Usage: $0 [-b]"
echo " -b: Optional. Will crate a backup file prior to the scan process modification"; echo
exit 1
fi
echo "Searching for airschk infected files..."
find $1 -type f -name '$2' -exec grep -s airschk {} \; -print | grep $3 > airschk_infected_list
echo "airschk infected files list generated!"; echo; echo "Cleaning-up files..."; echo
BACKUP_FILES=$4
BACKUP_SWITCH="-b"
OLD_FILES_EXT=".old_airschk_pre_clean"
exec "$file.airschk_clean"
if [ "$BACKUP_FILES" == "$BACKUP_SWITCH" ]; then
mv $file $file$OLD_FILES_EXT
fi
mv -f $file.airschk_clean $file
#### Add the "perl" statement line if you get the "^M" characters at the end of each line
#### as some unix implementations does that. This line will remove all \r characters from the final file
#### You could alternatively use "sed" with the same regexp, but again that would depend on the
#### linux flavor you are running.
## perl -i -pe 's/\r//g' $file
#Now set all file attribute and ownership information back to the way it was
chown $fowner:$fgroup $file
chmod u=$u_attr,g=$g_attr,o=$o_attr $file
process_result="SUCCESS!"
else
process_result="*ERROR: Failed to read file!"
fi
echo "$file_count: Processing $file ...$process_result"
done
echo;echo "**** Processing complete! Total of $file_count file(s) processed.";echo
Start first by making a full backup of your web files and all other files you plan to scan. When you are done with your backup, create a text file in your preferred directory on your server; I named the script “clean_airschk”. Make sure you give proper execute privileges to the user/group that will be running the script. You can do that using the “chmod” command,
chmod +x clean_airschk
The script will create a file called “airschk_infected_list” on the directory it is executed from. The “airschk_infected_list” file will carry a list of all files infected on your system; keep this list for future reference. The script will then start cleaning up all infected files and create backup copies (if the –b option is used) of each cleaned file. The backup file will carry the same original filename but with an added “.old_airschk_pre_clean” filename extension. The backup file will be created on the same file system location of the original file. It is highly recommended that you use the “-b” option when running the script. This will help you decide later on whether you want to revert back the operation, move all backup files into one location, or just delete the backup files completely.
To run the script from the location in which it was created at, use the following command-line format,
./clean_airschk [-b]
So for example, if you want to scan all your php files under your web home directory (htdocs for example), and backup any file found infected, the command and it’s output will be as follows,
$ ./clean_airschk /htdocs *.php /htdocs -b
Searching for airschk infected files...
airschk infected files list generated!
Cleaning-up files...
1: Processing /home/famous/htdocs/demos/kendo/kendo-main/uploads.php ...SUCCESS!
2: Processing /home/famous/htdocs/demos/kendo/kendo-main/kendo-main.php ...SUCCESS!
3: Processing /home/famous/htdocs/demos/kendo/kendo-main/install/index.php ...SUCCESS!
4: Processing /home/famous/htdocs/demos/kendo/kendo-main/index.php ...SUCCESS!
5: Processing /home/famous/htdocs/demos/kendo/kendo-main/admin/login.php ...SUCCESS!
6: Processing /home/famous/htdocs/demos/kendo/kendo-main/admin/index.php ...SUCCESS!
7: Processing /home/famous/htdocs/demos/kendo/kendo-main/admin/settings.php ...SUCCESS!
8: Processing /home/famous/htdocs/astro/index.php ...SUCCESS!
9: Processing /home/famous/htdocs/astro/sites/default/default.settings.php ...SUCCESS!
10: Processing /home/famous/htdocs/astro/modules/bob/bob-profile-item.tpl.php ...SUCCESS!
11: Processing /home/famous/htdocs/astro/modules/bob/bob-picture.tpl.php ...SUCCESS!
12: Processing /home/famous/htdocs/astro/modules/bob/bob-profile.tpl.php ...SUCCESS!
13: Processing /home/famous/htdocs/astro/modules/bob/bob-profile-category.tpl.php ...SUCCESS!
:
:
:
167: Processing /home/famous/htdocs/kendonation/kendo-main/admin/index.php ...SUCCESS!
168: Processing /home/famous/htdocs/kendonation/kendo-main/admin/settings.php ...SUCCESS!
**** Processing complete! Total of 168 file(s) processed.
$
As always, your suggestions and comments are welcome.