One of my Joomla sites on shared GoDaddy hosting got re-infected this morning with this malware, which runs this script from every php file that it infects:
Interestingly, none of my other GoDaddy sites have got infected yet (and this blog is running an older version of WordPress), including one other Joomla site on the same server.
I modified my Gumblar removal script and added a regular expression to remove this malware. It can be downloaded here.
Unlike the script at Securi.net (at the time of writing), this script does not leave a blank line at the top of your files, thus, you won’t get any errors from your web applications - it leaves your files in exactly the same state as before the infection. It also saves your original infected file with a .bak extension, just in case you need to keep the originals for some reason. These can be deleted later, and will not affect your site.
Instructions for use
- Place the file scan_files.php at your web document root.
- Invoke it with no parameters to run it in report mode, where no modifications will be made. For the non-technical users, the address would be http://www.example.com/scan_files.php
- Use scan_files.php?v=1 to run it in verbose mode.
- Use scan_files.php?u=1 to run it in update mode, where the modifications will actually be made.
- Use scan_files.php?u=1&v=1 to run it in both update and verbose modes.
- The script skips files greater than approx 1 MB in size.
- If the path to the file ends with /images/image.php or /images/gifimg.php, the script deletes it in update mode. That’s because this was one of the signatures of the Gumblar malware.
Update (Aug 19, 2010): I added another script in scan_files.zip—that is delete_infected_backups.php. In order to delete the .bak files:
- Place the file delete_infected_backups.php at your web document root.
- Invoke it with no parameters to run it in report mode, where no modifications will be made. For the non-technical users, the address would be http://www.example.com/delete_infected_backups.php
- Use delete_infected_backups.php?u=1 to run it in update mode, where the .bak files will actually be deleted.
- The script deletes all files with names ending in: