Scan & remove malicious code from webpages
For a webmaster and admin the most painful task is to clean up the malicious code from webpages. It takes lots of time and you need to keep your firm concentration on that. Though there are commands to get rid of it but those commands are too big and complex to remember. And what will happen if you face unique malicious attack and you have no idea how to use commands for it.
Suppose you figured out the malicious code which is ‘eval(base64_decode’. And you know the command for removing it. You SSH in to your server and apply the command.
find -regex “.*php” -exec sed -i ‘s|<?php /\*\*/ eval(base64_decode(.*;?>||g’ {} \;
And Voila! it is done.
Now after someday another attack! and this time you have no idea what to do. Yeah Of course you can remove the codes manually 
but we not gonna talk about it here.
php /*versio:2.05*/if (!defined(‘determinator’)){$Q00=0;$Q00=pack(‘H*’,’62615636f6465′);eval($QQQ00(‘JELidRJy…………wPJ9IH0=’));}?><?php
Then again another new malicious code and then another….it continues.
What you gonna do now?
I‘ve just figured out the best possible way to remove any kind of malicious code from webpages. We will remove it locally & we will use linux (debian or rpm). For this, first we need to download all the pages from hosting. We can do it using Filezilla.
Anyway, download this tool iscanner
Untar it
tar -zxvf iscanner.tar.gz
Now copy all the files from iscanner-0.7 to filesystem/usr/local/sbin
After that install Ruby in your system.
sudo apt-get install ruby
Now we are ready to use iscanner. By typing iscanner in terminal we will be able to see what are the usage of it. Below I’m writing some of them with specific commands.
If we want to scan a directory:
iscanner -f /home/user
If we want to scan a single file
iscanner -F /home/user/file.php
Now you could say, what difference it make? It can’t detect the malicious code I’m looking for.
Here is the interesting part. You can scan your specified malicious code. To do this open your .php file or the file contains malicious code. Copy only the malicious code and paste it on a newly opened .txt file.
Now run the command
iscanner -M /home/user/malware_code.txt -f /home/user
Here malware_code.txt contains the specific malicious code. And it will detect all the codes from your webpages using this .txt file.
Now question arrives, how to clean it? Well, its so simple. While processing the the last command a log file was created. It kind of look like this: “infected-10:52:24-11.Jul.log” don’t confuse yourself seeing the time and date.
So now for cleaning up task we gonna apply the last command:
iscanner -c infected.log
The generated log file must be renamed to infected.log if you want to run with this exact command. Now check by opening some of the files in text editor whether it contains malicious scripts or not.
It is done. Upload the files back to your hosting.
If you find this thing useful feel free to share and comment.
Total Hits: 455
