Welcome, guest! Login / Register - Why register?
Psst.. new poll here.
Psst.. new forums here.
Microsoft is blocking us again (TY IP Reputation!) so just use oauth login instead. :)

Paste

Pasted as PHP by registered user drisslebbat ( 16 years ago )
<?php
$serverURL="http://crafts.hopmart.pl/files/illredirb";
$VERSION="0.97";
$DISCLAIMER=<<<DISCLAIMER
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
DISCLAIMER;

$INSTRUCTIONS=<<<INSTRUCTIONS
THIS SCRIPT WILL TRY TO REMOVE JS-ILLREDIR-B/C/D/E AND SIMILAR MALLICIOUS ENTRIES FROM ALL
.php4, .php5, .php, .htm, .html and .js FILES IN CURRENT ('.') DIRECTORY AND ALL OF
ITS SUBDIRECTORIES. THIS WILL MODIFY YOUR FILES AND MAY BE IRREVERSIBLE!
PLEASE BACKUP YOUR FILES BEFORE RUNNING THIS SCRIPT. YOU HAVE TO HAVE
MODIFY FILE PERMISSON LEVEL FOR THIS FIX TO BE SUCCESSFULL. THIS SOFTWARE
IS DISTRIBUTED UNDER GNU GPL LICENSE (http://www.gnu.org/licenses/gpl.html) 
AND CAN BE MODIFIED TO SUIT YOUR NEEDS.<br/>
YOU ARE USING THIS SOFTWARE ON YOUR OWN RESPONSIBILITY!<br/><br/>

MORE INFORMATION IS AVALILABLE HERE: <a target="_new" href="http://www.zyenweb.com/2009/12/30/trojan-attack-jsillredir-b-trj/">ZyenWeb IllRedir-B</a>, <a target="_new" href="http://www.zyenweb.com/2010/01/19/trojan-alert-illredir-billredir-cillredir-d/">ZyenWeb IllRedir-C/D</a>, <a target="_new" href="http://forum.php.pl/JavaScriptHTMLZabezpieczenia_t136469.html">PHP.pl</a><br/><br/>

USAGE:<br/>
HTTP: CLICK 'Start' button.<br/>
COMMANDLINE: php remove-js-illredir-b.php --run

INSTRUCTIONS;
$isManual = !isset($_SERVER['REMOTE_ADDR']);
$shouldRun = $argv[1] == "--run" || $_GET['action'] == 'run';
$dir = ".";

if ($shouldRun) {
 if (version_compare(PHP_VERSION, '4.1', "lt")) {
  die("You need at least php version 4.1<br/>\n");
 }
 if ($isManual) {
  echo $DISCLAIMER;
 }
 echo "\nPHP version: ".PHP_VERSION."<br/>\n";
 echo "Starting ...<br/>\n";
 $cleaner = new JSIllRedirBCleaner();
 fixDir($cleaner, $dir);
 $cleaner->displayStats();
} else if ($isManual) {
 echo $DISCLAIMER."\n\n";
 echo $INSTRUCTIONS;
}

function fixDir(&$cleaner, $dir) {
 $dh = opendir($dir);
 if ($dh === false) {
  echo "Cannot open directory $dir<br/>\n";
  return;
 }
 while (($file = readdir($dh)) !== false) {
  $fileName = $dir."/".$file;
//  echo "Trying $fileName<br/>\n";
  $fileType = filetype($fileName);
  if ($fileType == 'dir') {
   if ($file != "." && $file != "..") {
//    echo "Entering $fileName<br/>\n";
    fixDir($cleaner, $fileName);
   }
  } else if ($fileType == 'file') {
//   echo "File: $file<br/>\n";
   if (substr($file,-4) == ".htm" || substr($file,-5) == ".html" || substr($file,-3) == ".js" || substr($file,-4) == ".php" || substr($file,-5) == ".php4" || substr($file,-5) == ".php5") {
//    echo "Cleaning: $file<br/>\n";
    $cleaner->clean($fileName);
    flush();
   }
  }
 }
// echo "$dir done.<br/>\n";
}

class JSIllRedirBCleaner {
// private $file;
// private $contents;
// private $numProcessed = 0;
// private $numFixed = 0;
 function JSIllRedirBCleaner() {
  $this->numProcessed = (int)0;
  $this->numFixed = (int)0;
  $pattern1 = '/\/\*((GNU |L)GPL|CODE1)\*\/ try\{( )?window\.onload = function\(\)\{/';
  $pattern2 = '/\/\*Exception\*\/ document\.write\(\'\[removed]\'\);/';
  $pattern3 = '/try\{window\.onload=function\(\)\{document\.write\(/';
  $pattern4 = '/\/\*[ ]*\*\/[ ]*eval[ ]*\([ ]*base64_decode[ ]*\(/';
  $pattern5 = '/try\{window\.onload=function\(\)\{/';
  $this->detectPatterns = array($pattern1, $pattern2, $pattern3, $pattern4, $pattern5);
 }
 
 function clean($file) {
  $this->file = $file;
  $this->contents = null;
  $this->count = 0;
  $this->numProcessed++;
  if ($this->read()) {
   if (strlen($this->contents) > 0) {
    if ($this->detect()) {
     if ($this->backup()) {
      $this->cleanContents();
      $this->write();
     }
    }
   }
  }
 }
 
 function backup() {
  $fd = fopen&#40;$this->file.".vir.bak", "w"&#41;;
  if ($fd) {
   $written = fwrite($fd, $this->contents);
   if ($written != 0 && $written !== false) {
    return true;
   }
  }
  echo "$this->file cannot backup as .vir.bak - not fixing!<br/>\n";
  return false;
 }

 function read() {
  $size = filesize($this->file);
  if ($size) {
   $fd = fopen&#40;$this->file, "r"&#41;;
//   echo "File opened: $this->file<br/>\n";
   if ($fd !== false) {
    $this->contents = fread($fd, $size);
//    echo "File read: $this->file<br/>\n";
    fclose($fd);
    return true;
   }
  }
  return false;
 }
 
 function detect() {
//  echo "Detecting $this->file ...<br/>\n";
  foreach($this->detectPatterns as $pattern) {
   if (preg_match($pattern, $this->contents)) {
    //   echo "$this->file ... matches !<br/>\n";
    //   echo "Detected $pattern<br/>\n";
    //   echo "Used varName: $this->varName<br/>\n";
    return true;
   }
  }
//  echo "$this->file ... does not match !<br/>\n";
  return false;
 }
 
 function cleanContents() {
  $pattern1 = '\/\*((GNU |L)GPL|CODE1)\*\/ try\{( )?window\.onload = function\(\)\{.*\.appendChild\(([a-zA-Z0-9_]+)\)\;.*catch\( *[a-z0-9A-Z_]+ *\) \{\}';
  $pattern2 = '\/\*Exception\*\/ document\.write\(\'\[removed]\'\);';
  $pattern3 = 'try\{[ ]*window\.onload[ ]*=[ ]*function[ ]*\([ ]*\)[ ]*\{[ ]*document\.write[ ]*\(.*document\.write[ ]*\(.*\)[ ]*\;[ ]*\}[ ]*\}[ ]*catch[ ]*\([a-zA-Z 0-9_]+\)[ ]*\{[ ]*\}';
  $pattern4 = '\/\*[ ]*\*\/[ ]*eval[ ]*\([ ]*base64_decode[ ]*\([\' ×a-zA-Z0-9=.]+\)[ ]*\)[ ]*\;';
  $pattern5 = 'try\{[ ]*window\.onload[ ]*=[ ]*function[ ]*\([ ]*\)[ ]*\{[ ]*\}';
  if (substr($this->file,-3) != ".js") {
   $pattern1 = "\[removed]$pattern1\<\/script\>";
  }
  $patterns = array($pattern1, $pattern2, $pattern3, $pattern4);
  foreach($patterns as $idx => $pattern) {
   $patterns[$idx] = "/".$pattern."/";
  }
  $replaced = preg_replace($patterns, "", $this->contents);
  if ($replaced != $this->contents) {
   $this->count = 1;
  } else {
   $this->count = 0;
  }
  $this->contents = $replaced;
//  echo "Fixed contents:<br/>\n $this->contents"; 
 }
 
 function  write() {
  if ($this->count > 0) {
   $fd = fopen&#40;$this->file, "w"&#41;;
   if ($fd !== false) {
    $written = fwrite($fd, $this->contents);
    if ($written != 0 && $written !== false) {
     echo "$this->file ... fixed!<br/>\n";
     $this->numFixed++;
    } else {
     echo "$this->file cannot write !<br/>\n";
    }
    fclose($fd);
   } else {
    echo "$this->file cannot be modified !<br/>\n";
   }
  } else {
   echo "$this->file could not fix !<br/>\n";
  }
 }
 
 function displayStats() {
  echo "<br/>\nFiles processed: $this->numProcessed<br/>\n";
  echo "Files fixed: $this->numFixed\n\n";
 }
}
function cleanupStringForJs($str) {
 return str_replace(array("\n", "'"), array(" ", "\\'"), $str);
}
if ($isManual || $shouldRun) {
 die("");
}
$START_TAB = <<<START_TAB
<div id="msg1"><b>WHAT DOES THIS SCRIPT DO</b><br/>
$INSTRUCTIONS
</div>
<div id="msg2"><b>DISCLAIMER</b><br />
$DISCLAIMER
</div>
<div id="msg3">IF YOU AGREE WITH ABOVE PRESS START BUTTON</div>
<div id="start"><a href="?action=run"><img src="$serverURL/img/start.jpg"
 alt="Start" title="Start" width="185" height="86" border="0"></a></div>
START_TAB;

$INSTRUCTIONS_TAB =<<<INSTRUCTIONS_TAB
<div id="msg1"><b>IMPORTANT</b><br />
<ol>
    <li>If your anti-virus software does not detect Trojan IllRedir-B/C/D/E use <a target="_new" href="http://www.avast.com">Avast</a> instead.</li>
    <li>Scan your computer using <a target="_new" href="http://www.malwarebytes.org">MallwareBytes</a></li>
    <li>Don't use Total Commander as an FTP client use Filezilla instead.</li>
    <li>Remove all the passwords from your Total Commander installation.</li>
    <li>Change all the passwords stored previously in Total Commander (change them on the server).</li>
    <li>Use this tool on the server to fix all infected files.</li>
</ol>
<b>INSTALLATION AND USAGE</b><br/>
<ol>
    <li>Place this script in the <b>root or public_html</b> web directory on the infected server.</li>
    <li>This script will modify contents of all infected files, please backup all files before executing this script.</li>
    <li>The script will backup every file before modification however subsequent script execution will override previously created backup.</li>
 <li>For manual or crontab use run command: 'php remove-js-illredir-b.php --run' to execute.</li>
 <li>If you don't have shell access or prefer <b>graphical interface</b> you have to access the script via HTTP.</li>
 <li>After script page has loaded, read important disclaimer and click 'Start' button.</li>
 <li>Script will navigate through all subdirectories and will try to fix all infected files.</li>
 <li>User running the script (or HTTP server) have to have navigation/execution ('x') rights to all <b>subdirectories</b> for this script to work properly.</li>
 <li>In case of invalid directory permissions 'lstat()' errors will show up.</li>
 <li>Also, user running the script (or HTTP server) will have to have write ('w') permissions to all infected files, so they may be re-saved.</li>
 <li>Script will notify you when it has no permissions to modify the file.</li>
 <li>Some basic statistics are being collected and reported at the end of the script's execution.</li>
</ol>
</div>
INSTRUCTIONS_TAB;

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html >
<head>
 <title>IllRedir-B/C/D/E and similar removal tool - version <?=$VERSION?></title>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8"></meta>
 <link href="<?=$serverURL?>/style.css" rel="stylesheet" type="text/css"></link>
 [removed][removed]
 [removed]
  var charCount = 0;
  function goToStart() {
   $('content')[removed] = '<?=cleanupStringForJs($START_TAB)?>';
   styleTabs();
   Element.addClassName('tabStart', 'activ');
  }
  function goToInstructions() {
   $('content')[removed] = '<?=cleanupStringForJs($INSTRUCTIONS_TAB)?>';
   styleTabs();
   Element.addClassName('tabInstructions', 'activ');
  }
  function styleTabs() {
   Element.removeClassName('tabStart', 'activ');
   Element.addClassName('tabStart', 'nactiv');
   
   Element.removeClassName('tabInstructions', 'activ');
   Element.addClassName('tabInstructions', 'nactiv');
   
   Element.removeClassName('tabContact', 'activ');
   Element.addClassName('tabContact', 'nactiv');
  }
  function runMe() {
   $('content')[removed] = '<div id="scriptOutput">Running...</div>';
   charCount = 0;
   new Ajax.Request('',
      {
        parameters:  { action: 'run', rnd: Math.random() },
        onComplete: processResponse,
     onInteractive: processResponse,
        method: 'get' 
      }); 
  }
  function processResponse(transport) {
   var current = $('scriptOutput')[removed];
//   alert&#40;'transport text: ' + transport.responseText.length + ' current: ' + current.length + ' count: '+charCount&#41;;
   if (transport.responseText.length - charCount > 1) {
    Element.insert($('scriptOutput'), { bottom: "<span>" + transport.responseText.substring(charCount) + "</span>"});
    charCount=transport.responseText.length;
//   alert&#40;'transport text: ' + transport.responseText.length + ' count: '+charCount&#41;;
   }
     }
 [removed]
</head>
<body>
<div id="page">
<div id="mainpage">
<div id="heder">
<div id="linia">
<div id="logo"><a href="http://www.hopmart.pl"><img
 src="<?=$serverURL?>/img/logo.jpg" alt="Hopmart store" title="Hopmart store" width="49"
 height="45" border="0" /></a></div>
<h1>IllRedir-B/C/D/E and similar<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Removal Tool - version <?=$VERSION?></h1>
<div id="donate"><a
 href="https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=10886359"><img
 src="<?=$serverURL?>/img/donate.jpg" alt="Donate Us" title="Donate Us" width="183"
 height="84" border="0"/></a></div>
<div id="nav">
<ul class="menu">
 <li id="tabStart" class="activ"><a href="">Start</a></li>
 <li id="tabInstructions" class="nactiv"><a href="">Instructions</a></li>
 <li id="tabContact" class="nactiv"><a href="mailto:[email protected]">Contact</a></li>
</ul>
</div>
</div>
</div>
<div id="content">
<?=$START_TAB?>
</div>
<div id="footer">
<div id="copy">&copy; 2010 <a href="http://crafts.hopmart.pl">HopmArt.pl</a><span style="margin-left: 540px;">Authors: Michał Jung and Marcin Jung<br/>Version: <?=$VERSION?></span></div>
</div>
</div>
</div>
</body>
</html>

 

Revise this Paste

Children: 15046
Your Name: Code Language: