Searching GoDaddy Shared Linux Server for Malware

My websites were recently flagged by Google as containing Malware.

In the Webmaster Tools I found this link to explain what was found.

http://www.google.com/safebrowsing/diagnostic?site=www.example.com) (replace www.example.com with the URL of your own site) to see specific information about what Google’s automatic scanners have found.

Of the 21 pages we tested on the site over the past 90 days, 1 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-01-01, and the last time suspicious content was found on this site was on 2013-01-01.

Malicious software is hosted on 1 domain(s), including donationwarecallers.info/.

This site was hosted on 1 network(s) including

AS26496 (PAH)

I used WinSCP to find an infected file and found this. I’ve truncated the code:

<?php <?php eval(gzinflate(base64_decode(‘vVhtb9pIEP7

cSv0PfIgESLmcsUNT1ObUHG81qU0wEGOfThF+IV4wtm

ObgOn1v5/t2W1mA+m1J919g/Hs7jMzzzyzthvHYXwXu1

EYpyS4rwn1929en5Do8uRu3NVuu9ofVa2rDCfdu6tOR6v++f7E

idGzzrA9Vbrq5E4bDiflU2txmbucVX+tnq2dZs2Zp26tuj5zzrJqv…?>

 

I used PuTTy to SSH into the server and ran the following command to find all the files containing ‘vVhtb9pIEP7’:

grep -rl “vVhtb9pIEP7” /home/content/s/a/v/savvy95/html

I ran the following command to remove the offending code in any PHP file:

grep -rl “vVhtb9pIEP7” /home/content/s/a/v/savvy95/html | xargs sed -i “.bak” ‘/vVhtb9pIEP7’ > ./html/greplog2.log

But it didn’t work. I think it timed out on the GoDaddy’s Servers

I created a log of files which contained the offending code using the following command:

grep -rl “vVhtb9pIEP7” /home/content/s/a/v/savvy95/html

 

That seemed to find everything and I manually removed the offending code.

0 thoughts on “Searching GoDaddy Shared Linux Server for Malware”

Leave a Reply

Your email address will not be published. Required fields are marked *