Today I have deal with my client to clean all chaos caused by Gumblar virus, It’s seem his root password was stolen and all web data infected with code. The virus code snippet is like this:

var D;if(D!='' && D!='X'){D=''};var U=new Array();var p="";function u(){var aY=new Date();

The condition , all index file , index.html or index.php was injected. The virus code injected on last line of file. After couple hour browse I didn’t find any solution to this problem and this make me confused, it will horrible if I have to remove the virus code one by one.

After two hour doing experiment finally I found the way how to remove the virus, just use bash script , using “grep” , “find” , “cut” , “grep” , “xargs” and “sed”. 🙂