My site was infected by a certain virus that embeds itself on PHP and Javascript files. The malware/virus attached itself at the end of the file and connecting to a certain website with a ccTLD .RU. It attached a code with GNU GPL code encrypted in Javascript. It infects all index.*, default*.* and *.js files.

Since, I am using a shared hosting, all of my sites under the hosting was infected and at first I did the fixing manually but since its a time consuming tasks, I decided to create a PHP code to clean this file. Here’s what you need to do to fix your website from the said GNU GPL infection.

  1. Check your PC for any infections using an anti-virus like AVAST and MalwareBytes.
  2. Change the password of your hosting and FTP access.
  3. Download the file: FIXFILES.ZIP here. (Right Click ->Save Target As or Right Click->Save Link As)
  4. Extract the FIXFILES.PHP from the archive and upload it to the root directory of your website (/www or / through FTP).
  5. Execute it. ( Type http://www.yourwebsite.com/fixfiles.php on your address bar)
  6. After executing the file, the cleaning of the infected files will start. Wait until all the files are listed.

The program reads all the files on your website and check for any existence of a certain signature of the virus or malware. It then removes the maliscious code and rewrite the file without the virus. Note: Use this PHP code at your own risks and Bleuken.com or the author is not liable of any loss or damage that it might cause to your website. As I have said, this is the same code that I use to fix this website and this code really fix everything. Good luck!

Comments

  1. Hisham

    I have same problem as the first person who post

    Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 273516741 bytes) in /home3/frenchfl/public_html/fixfiles.php on line 49

  2. fabien

    Bonjour,

    J’ai un message d’erreur quand je l’éxecute :
    Fatal error: Allowed memory size of 41943040 bytes exhausted (tried to allocate 120566498 bytes) in /homepages/xx/xxxxxxxxx/xxxxxx/xxxxxxxx/fixfiles.php on line 49

    Quelqu’un peut-il m’aider?
    Merci par avance

  3. rhino

    This is perfect script. Bravo!!!!
    I’m clean 523 files in my website with one click. Perfect, perfect script man!

  4. My 2 分

    Don’t forget to understand the fixfile.php file before you use it.
    “Note: Use this PHP code at your own risks and Bleuken.com or the author is not liable of any loss or damage that it might cause to your website. ”

    1) fixfiles.php just erases all the content of your files, starting from the signatures “/*GNU GPL*/ try{window.onload = function()”, starting with or without <script>.
    If the original file starts by those signatures, it will be emptied (maybe backuped, maybe not, see point 3);
    “It then removes the maliscious code and rewrite the file without the virus. ” => it is a little bit more than just the malicious code…

    2) Do not change the name (keep fixfiles.php), otherwise the fixfiles.php will be “fixed”;

    3) Also, if you want a backup, follow the (hidden) advice of the author line 74:
    //I disable the back-up process. Remove // below to enable it.
    //fwrite($fh, $theData);

    4) Line 47: you may want to replace “if ($fsize!=0) {” by “if ($fsize>0) {” to “better” manage 0 (already) sized files, or strange file system objects.

    1. Thanks man for that explanation.

  5. Hi,

    The links fixfiles.zip works but when I apply the file in my site, it says :

    Warning: fread() [function.fread]: Length parameter must be greater than 0 in /home/lucyle/public_html/fixfiles.php on line 49

    What can I do for making it work?

    Thanks

    Casto

    1. @Casto, I didn’t put any error trapping codes on the program but I revised it and fix this error. Can you try it then let me know if there are still problems on the code. Good luck.

  6. hi,

    Thank you for FIXFILES.ZIP it was perfect for me.

    I think this virus propagate by certain fault of CMS, mine is “Nuke Klan” and you?

    1. @xman, I’m using WordPress right now and possibly its because of the vulnerability of the CMS.

  7. d_hunter

    Bleuken – I am very appreciative of your efforts to remove and advance this script you have created. Any thoughts how it affects the shared or dedicated hosting servers once launched from your machines ftp prog? It seems to be executed somehow serverside – if it is an uploaded script we want to make sure we capture it and remove it from the infected servers for obvious reasons. Any ideas to remove 100% as AV serverside will not detect a script?

    MORE INFO ON THE VIRUS
    – we tested and saw activity in the browser and internet temp folders for IE7, and while doing a download or having a session open for malwarebytes def update we also saw the program launched to our local machine where it tried to take over the recent download and replace it – fortunately IE7 warned about it and we said no… that download was launched from the infected server, and identified as PSW.Onlinegames as posted above. Info on the PSW infection showed mbam.exe was infected (this is after we had an svchost.exe infection and disabled that in the AVG Vault only to have the virus come back and be attached to the Malwarebytes program.

    – the local infected machine is when we first lost our WSFTP to the virus where we were also hit with the SpamTool Virus (program asking for credit card info, saying you have a virus, and taking over your machine with scant) as this happened at the exact time when the FTPs were occurring based on the logs we investigated. When that happened we cleaned our local computer of any virus believing originally it was Vundo and didn’t know of the possible server infections. All cleaning programs Hijackthis Spybot S&D and MalwareBytes showed it was gone.

    When we were notified of the virus on some of our servers, we visited them via a browser and saw in taskmanager at the same time, java.exe was being launched locally. Suspecting we were going through the SpamTool virus again we ended the process using task manager. The computer froze. On forced reboot we were dead and couldnt recover even in safemode. Reformat occurred to wipe the system.

    We have concluded given our limited knowledge, the virus is localized in the temp folders by visiting up to IE6 / IE7 (whereas IE8 seems to warn on occasion of the sites and doesnt want to show them so you can opt out when the scripts are executing – seems like higher security on IE8 which is good). This temp folder will somehow keep the virus on your machine and if you are open to it without proper upgrades (we have read remnants of Acrobat 6 ActiveX may have issue, old Java Runtime may have issue, as does IE6 and not having your SP3 updates) will let the virus get deep into your systems as a Rootkit Trojan virus/worm.

    The virus is then dormant (perhaps collecting keystrokes) until you hit such an infected site again where the iframe opens from the infected page, java is launched, and your system is lost to the SpamTools program where the FTP infection loop occurs….

    We also believe this is a very new variety of the PSW.onlinegames virus, and something that was launched in Nov/Dec 2009.

    Good luck to anyone who has this. Need to change your FTP passwords. Clean the servers of the infected files. And Clean/ReFormat your local machines. Then cross your fingers!

  8. d_hunter

    Bleuken – will this php script work on .asp and .cfm sites as well?

    Any ideas what the signature comment is that is being left?

    1. I don’t know about the signature comment but I think they use a different ‘spamming tools’ to perform that. Re: if the PHP script will work on .ASP and .CFM, I think it can but I honestly wasn’t try it yet. Let me know if you tried it but make sure you create a back-up, just in case any issues occur. BTW, thanks for the comments.

  9. d_hunter

    Very much appreciated. One of our hosting companies didnt know how to get on top of this virus. If successfully received on your computer (perhaps due to IE6 flaw as with ours or lack of service packs in XP enviro) it will take over your computer, download a bunch of trojans and spyware and push out to all your FTP server contacts you store ** passwords (we had WS FTP running). All tose will be infected the virus on all the index files on their server and in the last several days we have seen this across .cfm, .js .asp .htm pages as well as .php server files creating a nightmare to cleanup and restore as you can imagine.

    You should provide this tool to some of the Malware companies or to folks who protect servers (CLAM, AVG or others). It would be useful to have this also work for .cfm and .asp files. Will it?

    Other points of interest:
    – when you visit a site with he virus (IE6, IE7, IE8) it starts to build temp internet files, and lots of them. We have record of 60+ in seconds. this is done through an iframe in the site and the mystery code which trails your rewritten files.

    – the javascript in the virus seems to create and want to download a trojan (one we caught was PSW.OnlineGames.AUMH (from the PSW.OnlineGames keystroke tracking family) as an .exe which sits in your System Volume Information \_restore folder and has an accompanying Generic2.RFJ .dll in there. Once you get this, it is very difficult to remove short of format, as it morphs when put in a vault, and is believed to be a trojan and worm as a a rootkit virus (we have learned)

    When we ran your scan onone site where we changed passwords first, the server virus seems to have left a signature comment in teh code with 1262557066 which has a .cn origin on a google search …. we didnt follow the link, but found only the 1 google entry.

    Hope this helps anyone who has been on this as we have for several days now…

  10. ItsMe

    Does anybody know how the “hacker” place the code in the files? Is there an issue with some open source script? A trojan, which steal the passwords or something else?

    Hope you can help, my website was infected 3 times in the last week.

    1. I think this thing happen when you visited an infected site and then it installs itself as a service on your local PC. Then it finds your ftp program and seek for any account. This is use then to modify your file from your remote host. This is just my theory but another one is that it is also possible that the infection started on the hosting site.

  11. Awesome!
    Thanks a lot, this malware script thingie has been bugging me for weeks now…

  12. This works great, but to get it to work I had to change the permissions on all sub directories to 0777.

    It was a test of an infected chat software I had saved.

    How did you handle the permissions thing? I tried uploading it as root first, then I chown’ed it to site user name THEN had to change permissions to get it to work.

    This will save tons of time, it is the smallest script of it’s kind I have seen yet.

  13. @olalla, Thanks for telling me. Its corrected right now.

  14. olalla

    The link to fixfiles.php.lix don’t works.

Leave a Reply

Your email address will not be published. Required fields are marked *