Detect and clean Malware on MediaTemple (gs)

A couple weeks ago, some accounts on Media Temple (gs) has been exploited. This attack consist on insert Javascript code in the html pages and create php files (example: fwrite.php, fclose.php, etc.) in order to prevent malfunctions. Now, we have to follow this steps for detecting and cleaning malware on (GS):

Detect and clean Malware on MediaTemple (gs)

Change your passwords periodically

First of all, you need to check the WordPress administrative users. If you found the user "JohnnyA", means that your site has been exploited. Please delete this user from your database.

Now, we need to scan all the files on the server. Please, login your server via SSH.

cd ~/domains

Search for the offending javascript:

grep -R "document.write(unescape" *

Note that there may be legit occurrances of this (e.g. google analytics). Look for something similar to the following:<ads><script type="text/javascript">
var st1 = 0; document.write(unescape('%3C%73%63%72%69%70%74%20%74%79%70%65%3D...

Once you have found the offending javascript malware, remove it from the file. Make sure that you only remove the "bad" part.

Next step is to look for the .php and .js malware. The following looks for a character string longer than 255 (somewhat arbitrary number) within all .php and .js files:

grep -iR --include "*.php" "[a-zA-Z0-9/+]{255,}" *

You should get back something similar to:<?php $o = '1RqLcptI8lcIpQrgSAj0sh...

grep -iR --include "*.js" "[a-zA-Z0-9/+]{255,}" *

You should get back something similar to: st1 = 0;this.b=this.M="";this.A="";this...

This line of code is the core of the malware and another piece to be deleted. It allows the bot or hacker to manipulate the contents of the site and execute queries against the database.


Nov 11
Amazing! Great tip


Copyright © 2017 epictrim. All rights reserved.What we doOur WorkInsideIdeasJoin UsContact Us