Recently I had to clean a website infected by the c3284d virus.

I don’t have found much documentation about this virus, however it’s seems to me much a trojan infecting websites through grabbed FTP accounts instead a virus.

In my case I had only HTML files infected, with the javascript malicious code (no PHP, htaccess, etc…).

Anyway, to mass remove all the mess with one command, with the power of SED, go to the root of your infected website and run this command:

grep -lr --include=*.html "c3284d" * | xargs sed -i.bak -n '1h; 1!H; ${g; s/[^!]*//g; p;}'

This handy snippet will replace all the code (single and multi-line) between the tags “<!–c3284d–>” and “<!–/c3284d–>” with nothing. It will make also a backup copy of the infected file (the same name with the .bak extension) recursively.

😉


1 Comment

Ben Racicot · September 9, 2013 at 22:07

Hello, This was great info. I do believe the attack continues to come back after it has been removed this way. I will comment if my attack persists. Also this site was very helpful with logging info with this attack http://stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html

Leave a Reply

Your email address will not be published. Required fields are marked *