My friend Niyaz was bugging me for a while now, asking me to write an asp.net code for removing malicious code from server side scripts hosted in web servers. The idea is to write an aspx page which when invoked will remove all the malicious code from all infected files in the server. This is much faster than removing the code from files via FTP or of course manually editing them. So here is the code: (CleanFiles.aspx.txt) – rename it to CleanFiles.aspx
Make sure that your asp.net web application has enough privileges to modify the files on the web server.
And remember this code takes Location, Type of files you want to clean, a regular expression for matching and a replace string so that you can use this for any kind of cleaning activities. I will keep you posted on enhancements on the code. And let me know if you need any…
Tags: asp.net code, hidden iframes, security
A large number of servers are linux apache based, this script will not likely work – any thoughts or plans on a port to php? Thanks very much for the script though, I’ll keep this on hand in case of windows web server infection.
Cheers!
I used this one and it didn’t seem to remove the IFrames from the html files. I checked them after it marked completed and yet the Iframes were still there. It is also having a problem doing multiple html files in a single directory. For instance I have index.html and index_2.html in the same directory and it will only find index.html. Not complaining as this script is totally what I needed. Just letting you know for troubleshooting purposes. Thanks a million!
Aric,
Can you please share the details of the bug. I was not able to reproduce the case in my dev environment. I tested the mentioned issues but I got the files cleaned without any trouble. I hope you didn’t forget to check the “Correct and save files” check box
And if possible please share the files that you were not able to clean…
Aric, I checked the files you have sent and I found that it is having an Iframe code slightly different from the one that I have handled. Hence you need to modify the regular expression to find the files a little bit. In your case it will be
I tested this and it is working fine. Hope this solves your problem
waaaa. it keeps on coming back, how to use this one. i need help. thanks!!
i need to remove all malicious iframes from my home page which is on root directory.i have tried ur code but it is not working.please reply asap how to call ur code for removing iframe injection from my page or how to get pages name that how many pages are get injected by this problem?
thanks in advance.
If you follow the instructions given in the post correctly, you will not face any problems. And you will also need a little experience with regular expressions. If not working, send me a sample infected file and I will help you out.
I have resolved all problems for fix iframe src like () but still struck with dyanamic src.
is it automatically clean the iframe once i access
“www.mydomain.com/CleanFiles.aspx”?
No Kyle. It is a search and replace script. You need to provide the regular expression to search for.
this is what i got as an error
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.
Details: To enable the details of this specific error message to be viewable on remote machines, please create a tag within a “web.config” configuration file located in the root directory of the current web application. This tag should then have its “mode” attribute set to “Off”.
Notes: The current error page you are seeing can be replaced by a custom error page by modifying the “defaultRedirect” attribute of the application’s configuration tag to point to a custom error page URL.
@Amit: Then enable debugging and let me know what exactly the error is. Or may be you can get it from logs.