Register Arama Bugünkü Mesajlar Tüm Forumu Okundu Say

Reply
 
Thread Tools
Removing Odmarco and go00ogle.net infections
vB.Org Poster
vB.Org Poster has disabled reputation
Kayıt Tarihi: Jul 2018
Mesajlar: 298

Show Printable Version Email this Page
yazan vB.Org Poster 10 Jul 2018, 16:44

Recently, as many of you know, the forum was attacked and infected with malicious code and it took me approx. 5-6 hours to remove the infections properly. The forum was infected with 2 main things: 'odmarco' and 'go00ogle.net'. Both were causing major issues and blocked many users and made the forum VERY unsafe.

Odmarco was probably the most difficult to remove, as it added malicious code to nearly every HTML file that it could access. What was worse, was that it varied the code in several files.

In this article, I aim to show you two tips on removing these infections.

Odmarco Infection

Being the most difficult, it hit me very hard that I had to search ALL HTML files manually; therefore, I looked for scripts to help me. Thankfully, I found a handy website here: Left On The Web / Cleaning "infected" file from the odmarco string

There is a great deal of explanation on that page, and more importantly, a script to help remove the strings. All the script does is search for the odmarco string and remove it from the files. I have attached the file here as well (clear_odmarco.php)

Once you know what the main string is, copy and edit the following part in the file:


Kod Blok Kilitli:      (Kayıt veya giriş yapmalısın)  
Engellenmiş, kayıtlı olmayan veya onay bekleyen kişiler kodlara erişemezler.

Replace the iframe string with the code that is in your files.

This goes through all your files and folders to find any sign of the code. It all worked fine, until I realised that the code varies in some files. Therefore, you can manipulate the code slightly, to search for any remaining code. I have attached an edited version of the same file that can search for malicious strings (search_odmarco.php)

This file will search for the word 'odmarco' in any files, and then return 'FOUND' next to any files that contain it. You can then access these files to find the variations of the odmarco string. Then, you can either remove them manually, or change the $string_to_clear in clear_odmarco.php to help remove them for you.

Keep repeating this, until the search returns zero files to have found the word. You can repeat this for ANY other type of malicious code by simple changing the search term on line 38:


Kod Blok Kilitli:      (Kayıt veya giriş yapmalısın)  
Engellenmiş, kayıtlı olmayan veya onay bekleyen kişiler kodlara erişemezler.

Just replace odmarco with any other term. This should help you remove any traces of the infection and saves A LOT of time.

go00ogle.net Infection

This infection is much easier to remove. blog.ambor.com: How to remove a go00ogle.net infection from your WordPress blog contains a full list of steps to remove the malicious code and is considerably more straightforward.

For this infection, one (or several) of your javascript files gets infected with malicious code. You could choose to use the method for odmarco (with the files) to remove this or you can follow the steps given in the link. Since you shouldn't have that many JS files loading up, it shouldn't be too difficult for you to manually remove the code.

I hope this helps somewhat if you get infected - any questions, just ask

Originally posted @ AdminFuel

-------
Views: 31
Reply With Quote
Reply

Thread Tools

Şunları Yapabilirsin
Yeni Konu Açmak
Konuya Cevap Yazmak
Eklenti Eklemek
Düzenleme Yapabilmek

Forum Atla


LD'de Yeni misin? Yardıma mı ihtiyacın var?

All times are GMT +3. The time now is 10:00.

Tasarım Özelliği | Genişlik: Geniş Renk: Removing Odmarco and go00ogle.net infections Removing Odmarco and go00ogle.net infections Removing Odmarco and go00ogle.net infections Removing Odmarco and go00ogle.net infections Removing Odmarco and go00ogle.net infections