Trojan - infected Linux hosting! · My Notes

All pages on one of our websites got infected by some browser exploit. Linux hosting!! I spent few minutes to write a micro antivirus, because the backup copy of the site was not at hand. The infection is a solid block of text after normal page contents so the task is easy: detect it via signature then truncate the file.

·· [Continuing] ··

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

void Check( const char *fn )
{
  printf("%s: ", fn);
  FILE *fp = fopen(fn, "r+");
  if( fp==NULL ){
    printf("File not found.\n");
    return;
  }
  fseek( fp, 0, SEEK_END );
  long sz = ftell(fp);
  fseek( fp, 0, SEEK_SET );
  char *buf = (char*)malloc( sz );
  if( !buf ){
    printf("Memory allocation error!\n");
    exit(-1);
  }
  fread( buf, sz, 1, fp );
  fclose(fp);
  char *ptr=strstr(buf, "<div id='x0");
  if( ptr==NULL ){
    printf("CLEAN\n");
  }else{
    printf("VIRUS FOUND!\n");
    if( ptr>buf )
      ptr--;
    while( (ptr-buf)>0 && int(*ptr)<=32 )
      ptr--;
    truncate( fn, ptr-buf+1 );
  }
  free( buf );
}

int main( int argc, char *argv[] )
{
  if( argc<2 ){
    printf("Usage: %s <filenames>\n", argv[0]);
    return 0;
  }
  for( int f=1; f<argc; f++ )
    Check( argv[f] );
  return 0;
}




Comments:

No Comments for this post yet...

Leave a comment:

Your email address will not be displayed on this site.
Your URL will not be displayed on this site. Comments containing URL's of non-personal pages may be removed.
Confirmation Code:
Human Confirmation Code (Captcha)

HTML tags and "<", ">" symbols are not allowed. Links will not be converted to hyperlinks. Any commercials are removed and reported as abuse.

Archives

                                                                                                                                                                                                                                                                   


© Sergey A. Galin, 1998-2004 http://sageshome.net/b2e/blogs/