Malware Global Fix Script

Community support for Plesk, CPanel, WebMin and others with insight from two of the founders of Plesk. Ask for help here! No question is too simple or complicated. :-)
KrazyBob
Forum Regular
Forum Regular
Posts: 310
Joined: Mon Mar 19, 2007 3:47 pm

Malware Global Fix Script

Unread post by KrazyBob »

I'll confess. I am not a BASH scripter although I am trying to learn in my "spare time." LOL. All of our servers got hit with the vulnerability. It was responded to as soon as Parallels sent the vulnerability email but it was too late.

I have determined the code that is attached at the bottom is the beginning of the hacked malware page as:

Code: Select all

<script>/*km0ae9gr6m*
I know that it is possible to grep for the string starting in /var/www/vhosts/ but what would a search and replace look like to scan all sites on the server, if found delete the line, and then move on to the next site?

This would be a wonderful tool that I am sure others may use. We've had everyone change their passwords long ago but the damage is still in place. It didn't help that Parallels didn't fix it the first time.

Please -- a scriptlet would be most appreciated
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Malware Global Fix Script

Unread post by faris »

There's one in the Plesk KB related to the mass compromise fixes.

I'll look for it and post it here.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Malware Global Fix Script

Unread post by faris »

Script here:
http://kb.parallels.com/en/114396

Password changer (which you'll need) http://kb.parallels.com/en/113391

Faris.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Post Reply