Recently, as many of you know, the forum was attacked and infected with malicious code and it took me approx. 5-6 hours to remove the infections properly. The forum was infected with 2 main things: 'odmarco' and 'go00ogle.net'. Both were causing major issues and blocked many users and made the forum VERY unsafe.
Odmarco was probably the most difficult to remove, as it added malicious code to nearly every HTML file that it could access. What was worse, was that it varied the code in several files.
In this article, I aim to show you two tips on removing these infections.
There is a great deal of explanation on that page, and more importantly, a script to help remove the strings. All the script does is search for the odmarco string and remove it from the files. I have attached the file here as well (clear_odmarco.php)
Once you know what the main string is, copy and edit the following part in the file:
Replace the iframe string with the code that is in your files.
This goes through all your files and folders to find any sign of the code. It all worked fine, until I realised that the code varies in some files. Therefore, you can manipulate the code slightly, to search for any remaining code. I have attached an edited version of the same file that can search for malicious strings (search_odmarco.php)
This file will search for the word 'odmarco' in any files, and then return 'FOUND' next to any files that contain it. You can then access these files to find the variations of the odmarco string. Then, you can either remove them manually, or change the $string_to_clear in clear_odmarco.php to help remove them for you.
Keep repeating this, until the search returns zero files to have found the word. You can repeat this for ANY other type of malicious code by simple changing the search term on line 38:
Code:
if (strpos($contents, 'odmarco'))
Just replace odmarco with any other term. This should help you remove any traces of the infection and saves A LOT of time.
For this infection, one (or several) of your javascript files gets infected with malicious code. You could choose to use the method for odmarco (with the files) to remove this or you can follow the steps given in the link. Since you shouldn't have that many JS files loading up, it shouldn't be too difficult for you to manually remove the code.
I hope this helps somewhat if you get infected - any questions, just ask
When your page is loading, you will see the URLs loading, and there will be numerous URLs with 'odmarco' in them. Also, Google would end up blocking your website and you can use Webmaster Tools to find out what you are infected with.
go00ogle.net Infections are easier to find and are described in the link.