How to fix/clean runforestrun malware on Plesk servers

Friday the Thirteenth…

Symptoms: Google tells you that your website is insecure and has been infected with malware.
At the bottom of .js, index.php or index.html some malicious code has been injected, like:

Some more info is here.

Again and again Plesk users are being confronted with hacked websites. Read all about it here (Dutch) or here (English).

Some of the servers of my customers were also compromised on Friday Thirteenth July, because they updated/patched 1 day too late (end of February 2012).
Sunday Julty 15th Plesk once again released a hotfix for this issue.
Problem with this malware is that it is all being uploaded by FTP after taking all  the passwords from the Plesk server database.

Steps to take:

1. Apply fixes, see Plesk KB. It is easy and you can do this by logging in into Plesk and click “Updates”. Then apply the hotfixes.
You can check vulnerebility  of the server like this: See Plesk KB.
Just download the checker and run it. Must do this as root by SSH:

Download the tool:

 

wget <download-url-goes-here>/plesk_remote_vulnerability_checker.php

Run it:

php -d safe_mode=0 plesk_remote_vulnerability_checker.php

If all is OK, the output will be: “The patch has been successfully applied

2. Remove the session records from the Plesk database.
When your server was compromised, you will see a whole lot of Active Sessions in Plesk. They MUST be removed, otherwise the malware can keep coming in.
This can be doen by loggin in into Plesk, go to Home and click Active Sessions. Them remove them all.
Otherwise login with SSH and: mysql> delete from sessions

3. Reset ALL passwords and make sure your clients DON’T change the password back. Mail and Database passwords could be skipped, although it would be a good idea to change them too. More info in Plesk KB once again.
First you change your admin password through Plesk GUI.
Then you need to login through SSH and do following as root:

Download the tool:

 

wget http://repository.tedoc.nl/repo/plesk-tools/plesk_password_changer.php

Run the tool and change passwords for clients, users, domains, domain admins, addtional ftp accounts, subdomains, webusers and resellers:

php -d open_basedir= -d safe_mode=0 plesk_password_changer.php `cat /etc/psa/.psa.shadow` –clients –users –domains –domainadmins –additionalftpaccounts –subdomains –webusers –resellers

When finished, Plesk has generated a list of passwords and created a CSV file with passwords (paranoia: remember to remove it when you’re done)

4. Remove infected files of the runforestrun malware. Someone on the Plesk forum created a nice oneliner.
Need to do  this as root by SSH:

 

grep -ilr ‘km0ae9gr6m’ /var/www/vhosts/ | while read arq; do echo $arq; echo $arq >> /root/infected.txt; sed -ni ‘1h;1!H;${x;s/km0ae9gr6m.*qhk6sa6g1c/virus removed/;p}’ $arq; done;

This oneliner checks all files in /var/www/vhosts/ and removes the infected lines. Also it generates a list of infected and fixed files.