All pages on one of our websites got infected by some browser exploit. Linux hosting!! I spent few minutes to write a micro antivirus, because the backup copy of the site was not at hand. The infection is a solid block of text after normal page contents so the task is easy: detect it via signature then truncate the file.
·· [Continuing] ··
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
void Check( const char *fn )
{
printf("%s: ", fn);
FILE *fp = fopen(fn, "r+");
if( fp==NULL ){
printf("File not found.\n");
return;
}
fseek( fp, 0, SEEK_END );
long sz = ftell(fp);
fseek( fp, 0, SEEK_SET );
char *buf = (char*)malloc( sz );
if( !buf ){
printf("Memory allocation error!\n");
exit(-1);
}
fread( buf, sz, 1, fp );
fclose(fp);
char *ptr=strstr(buf, "<div id='x0");
if( ptr==NULL ){
printf("CLEAN\n");
}else{
printf("VIRUS FOUND!\n");
if( ptr>buf )
ptr--;
while( (ptr-buf)>0 && int(*ptr)<=32 )
ptr--;
truncate( fn, ptr-buf+1 );
}
free( buf );
}
int main( int argc, char *argv[] )
{
if( argc<2 ){
printf("Usage: %s <filenames>\n", argv[0]);
return 0;
}
for( int f=1; f<argc; f++ )
Check( argv[f] );
return 0;
}