Remove malware Admedia / Adverting iFrame Infection in wordpress
On my server I have detected a malware that when I enter some pages google tells me that I have malicious content, specifically my linux server with debian has plesk installed and on all the pages under a certain vhost, that is, master domain and associated subdomains is happening to me . As always I have started to check the web where this happened to me. I checked wordpress and it was updated, I checked the plugins and they were all updated, in principle I did not see anything. By ftp I downloaded the entire web and I passed an antivirus to all the code and I detected that in the javascript files of almost all plugins there was a malicious code in the last line, it started with a comment like this / * e8def60c62ec31519121bfdb43fa078f * / and then a code like this ; window ["\ x64 \ x6f .... I have armed myself with patience and I have eliminated this code in all the javascript, in total my antivirus had detected 10.
After a while I went back and was all infected, and all the websites, after searching for information by Google I detected that there is a new vulnerability, malware Admedia / Adverting iFrame Infection, apparently due to an outdated plugin in a certain wordpress, through this infection is spread to other websites in wordpress and other cms that are in the same vhost, I had a hard time removing it, and thanks to a comment from a user in this post I could fix it: https://blog .sucuri.net/2016/02/massive-admedia-iframe-javascript-infection.html
It is based on locating infected javascript files with find
find -name "* .js" | xargs grep -E "\ / \ * [a-z0-9] {32} \ * \ /" -l | sort
Add thirsty using a pattern a comment on the next line
find -name "* .js" -exec sed -i "s / \ / \ * [a-z0-9] \ {32 \} \ * \ // \ n & / g" '{}' \;
And in the end it removes the malware code or malicious code in the infected javascript files with the instruction
find -name "* .js" -exec sed -i "/ [a-z0-9] \ {32 \} /, / [a-z0-9] \ {32 \} / d" '{}' \;
Once this is done, if we perform the check with the first instruction, there will be no infected files and finally we will have cleared the problem.