Dealing with compromised web sites

Nowadays It’s easy to find compromised web sites using Google safe browsing. It will display if specified web site have been infected with some threads (trojans, spyware or adware). There are few backdoors for windows they are doing simple jobs, collecting your FTP password data from various programs including: PHPDesigner, NotePad++, Total Commander, etc.. And using them to login to remote machine and place in there some malicious code by editing php, htm(l), js or php files. It will place malicious auto downloader codes or redirects to web scripts or other hypertext files. These files in server side become threads too, they will distribute malicious stuff like redirects, or auto downloads malicious data to client machines. Of course if Google bot detects such malware it will block access to specified web site. This will not going to end in green color, your web site will become untrusted and you can loose a lot of users from that side.

As I’m working on server side, I will not going to talk how to remove such threads from clients side. I’m going to talk how to remove them from the server side. As a SysAdmin I have wrote some tools to deal with it, one of them called REMalware I published to the public. It will search specified directories and will try to find such threads if it finds it will successfully remove them. You can download it from here. The tool is written in perl script language and is very extensible. On the file “signatures” I wrote virus signatures with file extension, header, and description. After downloading this tool you can run:

# ./remalware –scan /path/to/directory

It will show if any threads detected. If it finds one or more threads you can clean them automatically by launching this app with parameters:

# ./remalware –scan /path/to/directory –clean

This early version of this application, in the future I will write much more features and update signature file with the latest threads.

Download

Happy browsing.