Public Pastes
Guest

.RU JS Infection Removal

By: a guest on Aug 24th, 2010  |  syntax: PHP  |  size: 4.95 KB  |  hits: 183  |  expires: Never
download  |  raw  |  embed  |  report abuse
This paste has a previous version, view the difference. Copied
  1. <?php
  2. // .RU JS infection search script
  3. // Written by Nate Stiller - 8/24/2010
  4. // http://natestiller.com
  5. ini_set('max_execution_time',500);
  6. ob_implicit_flush (true);
  7. ob_end_flush();
  8. $mtime = microtime();
  9. $mtime = explode(" ",$mtime);
  10. $mtime = $mtime[1] + $mtime[0];
  11. $starttime = $mtime;
  12.  
  13. echo '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  14. <html xmlns="http://www.w3.org/1999/xhtml">
  15. <head>
  16. <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  17. <title>Russian Hack Cleaner</title>
  18. <style type="text/css">
  19. <!--
  20. body,td,th {
  21.         font-family: Verdana, Geneva, sans-serif;
  22.         font-size: 12px;
  23. }
  24. -->
  25. </style></head>
  26.  
  27. <body><h1>.RU Script Remover</h1>
  28. <br>';
  29.  
  30. $action=$_GET['action'];
  31.  
  32. if($action){
  33.         $extentions=explode(",",trim($_GET['ext']));
  34.         if($_GET['recurse']=='yes'){ $recurse=true; } else { $recurse=false; }
  35.         $files = directoryToArray("./", $recurse);
  36.         if($action=='fix'){ echo '<h1>Fixing Files:</h1>'; } else { echo '<h1>Searching Files:</h1>'; }
  37.         echo '<table width="100%" border="0"><tr><td><strong>Filename</strong></td><td><strong>Infected Code</strong></td></tr>';
  38.         foreach($files as $filename){
  39.                 $ext = substr($filename, strrpos($filename, '.') + 1);
  40.                 if(in_array($ext,$extentions)){
  41.                         $matches=searchFile($filename);
  42.                         if($matches){
  43.                                 $infectedcode=htmlentities($matches[0][0].$matches[1][0].$matches[2][0]);
  44.                                 echo "<tr><td>$filename</td><td>$infectedcode</td></tr>";
  45.                                 if($action=='fix'){ cleanFile($filename); }
  46.                         } else {
  47.                                 $cleanlog.="<tr><td>$filename</td></tr>";
  48.                         }                              
  49.                 }
  50.         }
  51.        
  52.         $mtime = microtime();
  53.         $mtime = explode(" ",$mtime);
  54.         $mtime = $mtime[1] + $mtime[0];
  55.         $endtime = $mtime;
  56.         $totaltime = ($endtime - $starttime);
  57.         echo "Done searching ".count($files)." files in ".round($totaltime, 2)." seconds.<br><br>";
  58.         echo '</table><br><hr width="85%"><h2>Clean Files:</h2><table width="100%" border="0">'.$cleanlog.'</table>';  
  59.  
  60. } else {
  61.        
  62.         echo '- Make sure you backup your website before you run this script<br>
  63. - When selection "Search AND Fix", it will create a backup of any file it changes named "filename.ext.old"<br>
  64. - If you want to search more than just the default files you can add the extentions you want. Seperate the list with commas and no
  65.  
  66. spaces<br>
  67. - With recurse folders checked, the script will search through all files and folders. Unchecked will only search files inside the
  68.  
  69. current folder<br>
  70. <br>
  71. <form action="'.$SCRIPT_NAME.'" method="get">
  72. <table>
  73. <tr>
  74. <td>Action:</td>
  75. <td><select name="action"><option value="search" selected="selected">Search Only</option>
  76. <option value="fix">Search AND Fix</option></select></td>
  77. </tr>
  78. <tr>
  79. <td>File Extentions:</td>
  80. <td><input type="text" name="ext" value="php,js,html,htm" /></td>
  81. </tr>
  82. <tr>
  83.  <td>Recurse Folders:</td>
  84.  <td><input name="recurse" type="checkbox" value="yes" checked /></td>
  85. </tr>
  86. <tr>
  87. <td><input type="submit" value="Go!" /></td>
  88. <td>Press GO only once and be patient! Depending on the number of files, the script may take a couple minutes.</td>
  89. </tr>
  90. </table></form>';
  91. }
  92.  
  93. function cleanFile($filename){
  94.         $count1=0;$count2=0;$count3=0;
  95.         $filecontents=file_get_contents($filename);
  96.         $cleaned=
  97.         preg_replace('/<script.+?http:\/\/.+?\.ru\/.+?script>/i','',
  98.         preg_replace('/document\.write\(\'<sc.+?http:\/\/.+?\.ru\/.+?pt>\'\);/i','',
  99.         preg_replace('/<!--[a-zA-Z0-9]{32}-->/i','',
  100.         $filecontents,-1,$count1),-1,$count2),-1,$count3);
  101.         file_put_contents($filename.".old",$filecontents);
  102.         $fp=@fopen($filename,'w');
  103.         if($fp){
  104.                 fwrite($fp,$cleaned);
  105.                 fclose($fp);
  106.         }
  107.         $count=$count1+$count2+$count3;
  108.         if($count > 0){return true;} else {return false;}      
  109. }
  110.  
  111. function searchFile($filename){
  112.         $count1=0;$count2=0;$count3=0;
  113.         $filecontents=file_get_contents($filename);
  114.         $count1=preg_match_all('/<script.+?http:\/\/.+?\.ru\/.+?script>/i',$filecontents,$matches1);
  115.         $count2=preg_match_all('/document\.write\(\'<sc.+?http:\/\/.+?\.ru\/.+?pt>\'\);/i',$filecontents,$matches2);
  116.         $count3=preg_match_all('/<!--[a-zA-Z0-9]{32}-->/i',$filecontents,$matches3);
  117.         $allmatches=array_merge_recursive($matches1,$matches2,$matches3);
  118.         $count=$count1+$count2+$count3;
  119.         if($count > 0){return $allmatches;} else {return false;}       
  120. }
  121.  
  122. function directoryToArray($directory, $recursive) {
  123.         $array_items = array();
  124.         if ($handle = opendir($directory)) {
  125.                 while (false !== ($file = readdir($handle))) {
  126.                         if ($file != "." && $file != "..") {
  127.                                 if (is_dir($directory. "/" . $file)) {
  128.                                         if($recursive) {
  129.                                                 $array_items = array_merge($array_items, directoryToArray($directory. "/" . $file,
  130.  
  131. $recursive));
  132.                                         }
  133.                                 } else {
  134.                                         $file = $directory . "/" . $file;
  135.                                         $array_items[] = trim(preg_replace("/\/\//si", "/", $file),'./');
  136.                                 }
  137.                         }
  138.                 }
  139.                 closedir($handle);
  140.         }
  141.         return $array_items;
  142. }
  143. echo '<br><font size="1"><a href="http://natestiller.com">Created by Nate Stiller |
  144.  
  145. nate@natestiller.com</a></font></body></html>';
  146. ?>
create a new version of this paste RAW Paste Data