Skip to main content

Cleaning JavaScript Malware On Your Linux Server (Removing Javascript Between Two Points)

Posted on January 5, 2013 by Anthony James Founder/CEOAnthony James Founder/CEO

Let’s face it, either this exploit is awesome or your server isn’t as secure as it should be. Somehow, a JavaScript exploit made its way into your system, infected hundreds of JavaScript files, and is making your life a living nightmare  What’s worse is that your backups are also infected, so you have no choice but to clean this exploit by hand. Quick, throw on a pot or 5 of coffee and hunker down to clean this exploit, or at least that is what less experienced Linux hackers would do. You, however, are a smart Linux hacker and you know that all you really need is a few commands to clean every single JavaScript file on your system. Listening now?

Two Problems

Someone shared this JavaScript malware file with me and I’ll provide the file in a screen shot. Take a look at it and you will see two problems. The first problem is you have a huge nasty 20 line JavaScript exploit inside the file. The second problem is that it starts on the last line of the file which has legitimate code on it.

SED & FIND To The Rescue

This may not be the most elegant solution but it solved the problem in minutes rather than the hours or days it would take you to manually clean that exploit and we did it using two Linux command line programs that you, if you haven’t already, should master.
Find will allow us to search a given directory (or entire file system) for all files ending with .js. Once the program find locates all those files we will pass an -exec command which will run a sed expression .
Sed is going to search each .js file that find locates for a given expression, which in our script will be the /*/ comment at the start and end of the exploit. Sed will then place a trailing end line at the front of the exploit which will move the exploit to its own line, separate from the ending legitimate JavaScript. At this point we will then repeat our find and sed commands but this time sed will remove all lines starting with the /*/ first exploit comment and ending with the */*/ exploit comment.

The Exploit Code

Exploit Starts At /*2b841b98d56c51eb852d8993915aebee*/

Exploit Starts At /*2b841b98d56c51eb852d8993915aebee*/

It’s very easy to spot the body of the exploit but where it begins is all cluttered together. It begins and ends at /*2b841b98d56c51eb852d8993915aebee*/ comments. You see why it’s important to first move the exploit to a separate part of the page or else we will end up removing good JavaScript code.


I’m going to use an actual server and place this file on that server. Don’t worry, I’m using a Linux Academy server which lets me delete and build servers in seconds. Even though our fix will clean the files I can prototype our exploit cleaning script on a server before we would ever have to move it into production.
Write the find command to locate all JavaScript files in the directory you want to clean.

[pinehead@linuxacademy]# find /var/www -name ‘*.js’

Next add the -exec and sed command that searches the file for /*2b841b98d56c51eb852d8993915aebee*/ and then places a new line in front of it, effectively moving our exploit to an isolated area of the script and putting good code out of harm’s way.

[pinehead@linuxacademy]# find /var/www -name “*.js”  -exec sed -i “s//*2b841b98d56c51eb852d8993915aebee*//n&/g” ‘{}’ ;

Exploit now starts at beginning of it's own line

Exploit now starts at beginning of it’s own line

Now To Remove the Actual Exploit Code

find /var/www -name “*.js” -exec sed -i “/2b841b98d56c51eb852d8993915aebee/,/2b841b98d56c51eb852d8993915aebee/d” ‘{}’ ;

This command tells find to locate all files with .js extensions inside the /var/www directory. Then use sed on each file to remove all the lines of code starting with and ending with *2b841b98d56c51eb852d8993915aebee*.
Check your infected files and you’re done!


Leave a Reply

Your email address will not be published. Required fields are marked *