Web – New Java Code Infection


The Symptoms And The Cure



We noticed strange java code patterns inside some of our website files (usually in index.php). This injection can be easily noticed if you view source of your pages and watch the very beginning and the very end. If you notice a suspicious looking piece of JS code, your site might be infected.

The current attack has a code that starts with this:

var i;if(i!=”){i=’f’};var P=new String();

In most cases, these patterns were calling php scripts from some webserver.

We thought that it was some virus that we uploaded to server from our workstations while updating files, but then we discovered ftp uploads from unknown places. We were using pure-ftpd.

Since pure-ftpd was logging its activities in syslog, this is how we found suspicious ftp connections and extracted originating ip addresses:

cat /var/log/messages | grep your_ftp_username | grep -v your_ipaddress | grep uploaded | awk ‘{print $6}’ | cut -d “@” -f2 | cut -d “)” -f1 | sort -u >> ban_list

If your ftp daemon has different logging form, you will have to make some adjustments.

With this list you can do whatever you want (ban listed ip addresses, inform their owners…).

After this we replaced ftp server.
For purging malicious code from infected files on server side, we used this useful program.

6 Responses to “Web – New Java Code Infection”

  1. ranuman says:

    I have same problem. Thanx for this!

  2. David says:

    Thanks for sharing the details. I found the information really helpful.

  3. Hello,Fantastic blogging dude! i am Tired of using RSS feeds and do you use twitter?so i can follow you there:D.
    PS:Do you thought to be putting video to the blog to keep the readers more entertained?I think it works.Yours, Towanda Tejeda

  4. Gordon Herre says:

    Great info! I’ve been looking for something like this for a while now. Thanks!

  5. interesting post, pretty much covered it all for me, thanks.

  6. Nice blog. Thanks!

Leave a Reply