Iframe gariben hack removergariben

Posted on December 22, 2009 by lpilinuxblog

“iframe / gariben hack find and removers. iframe / gariben is a script kiddie code added usually via a cracked password or hidden mysql code added to a vulnerable script. I usually refreshes the web page to some sort of web page that downloads a virus.

1.

find /home/username \( -name “*.php” -o -name “*.html” -o -iname “*.htm” \) -exec grep -l “abced” {} \; -exec sed -i “/”abced”/d” {} \;

This is one line of code that will search and remove the line that has the code commonly used with iframe attacks.

2.

This is a script that searches more thoroughly and finishes with a report. But this does not work on all systems and has been known to use the server full memory.

#!/usr/bin/perl

#This code is intended to be used to find injected iframes or javascript in user’s home directories
#You will most certainly have to adjust the pattern matching based on the current “hot” injected code
#Free software licensed under the GPL.
#USE AT YOUR OWN RISK, THIS MODIFIES PAGE CONTENT!

use strict;
use warnings;
use File::Listing;
use File::Find;

##### Search strings (injected code)

my $jsinject=”[\< \>=a-zA-z ]+function+[dc\(\)x ]+.+< \/script\>”;
my $iframeexp=”[\IFRAMEiframe]“;

##### What to replace the iframe with
my $replace = ”;

##### Log found files? (0 = No, 1 = Yes)
my $logfiles = 1;

##### Where to log?

my $logpath = “/home\/injection.log”;

##### Backup files just in case?

my $backup = 1;

#################Let’s Go ####################

find(\&wanted, ‘/home’);

sub wanted {
my $fullname = $File::Find::name;
next if (stat $fullname)[7] >= 1_000_000;
open(FILE, “< $fullname”) or warn “cannot open $fullname”;
my @readin = ;
close(FILE);
my @backup = @readin;

my $matched = 0;

foreach (@readin){
if( $_ =~ /$jsinject/) {
print “Found Match in $fullname\n”;
$_ =~ s/$jsinject/$replace/g;
$matched = 1;
if ($logfiles == 1) {
open(LOG, “>>$logpath”) or warn “cannot open $logpath”;
print LOG “Javascript injection found in $fullname\n”;
close(LOG);
}
}
if( $_ =~ /$iframeexp/) {
print “Found Match in $fullname\n”;
$_ =~ s/$iframeexp/$replace/g;
$matched = 1;
if ($logfiles == 1) {
open(LOG, “>>$logpath”) or warn “cannot open $logpath”;
print LOG “IFRAME found in $fullname\n”;
close(LOG);
}
}
}
if ($matched == 1){
my $backupfile = $fullname . “.bck”;
open(FILE, “>$backupfile”) or warn “cannot open file”;
foreach(@backup){
print FILE $_;
}
close(FILE);
open(FILE, “>$fullname”) or warn “cannot open file”;
foreach (@readin){
print FILE $_;
}
close(FILE);
}
}

—-

my $fullname = $File::Find::name;
next if ( $fullname !~ m{ \. ( php | htm | html ) \z }ixms );
next if (stat $fullname)[7] >= 1_000_000;
open(FILE, “< $fullname”) or warn “cannot open $fullname”;"ezlinuxadmin.com

Share
This entry was posted in About LPI. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>