Clean server infected with c3284d virus, using search and replace

Question

I\'m having an issue with the Notorious c3284d virus. It modifies pretty much all the html/php/js files it can find.

I\'ve changed all the passwords and users on the

Answer 1

awk 'BEGIN { clean=1 } /#c3284d#/ { clean=0 } /#\/c3284d#/ { clean=1 } { if (clean==1 && match($0,"#\/c3284d#") == 0) { print $0 } }' dirty-file > clean-file

That's a mouthful but it does the trick:

$ cat <<'EOF' | awk 'BEGIN { clean=1 } /#c3284d#/ { clean=0 } /#\/c3284d#/ { clean=1 } { if (clean==1 && match($0,"#\/c3284d#") == 0) { print $0 } }'
> foo
> #c3284d#
> bar
> baz
> #/c3284d#
> quux
> EOF
foo
quux

Answer 2

Simple way to find all affected files:

grep -H -r "c3284d" /home/user

This malware code comes from an infected client that has FTP passwords stored in plaintext. The malware is able to scrape the FTP logins, and then automatically starts injecting ad code into files. Definitely should be a full audit - but if you're lucky and caught it in time it is likely that it does not originate from the server itself.