VideoGuy
Member
Level: 22
   
Posts: 57/84
EXP: 53006
For next: 5344
Since: 05-10-09
Since last post: 12.0 years
Last activity: 9.9 years
|
|
| I know several HTML editors have a Find-and-Replace feature, can you just use that? |
neotransotaku
Member
wonders why OSX does not come with their version of MSPaint?
Level: 53
Posts: 539/603
EXP: 1084692
For next: 72427
Since: 08-24-07
From: The Landmark @ One Market
Since last post: 2.6 years
Last activity: 41 days
|
|
| There is a UNIX utility called sed that can replace text in a file. Couple that with a recursive bash script and you have what you want. The only requirement is that if your server allows you terminal or SSH support. How is your server setup? |
— Colin —
Missing: One avatar. Will be restored at some point.
Post 4399/10052
Active 8.3 years ago
|
|
Good thing I heard about this before going to do some maintenance there tonight... 
Did you do a Google search for the string in question? I'm sure that + a quick SSH tutorial = success.
(Honestly, there should be some sort of online virus scan for websites themselves.)
____________________
| |
| |
|
neotransotaku
Member
wonders why OSX does not come with their version of MSPaint?
Level: 53
Posts: 543/603
EXP: 1084692
For next: 72427
Since: 08-24-07
From: The Landmark @ One Market
Since last post: 2.6 years
Last activity: 41 days
|
| Posted on 10-25-09 08:22:10 AM (last edited by neotransotaku at 10-25-09 05:24 AM) |
Link | Quote
| |
| can you post a snippit of the offending code somehow? we can then help you out with the script if we know what we want to substitute. |
neotransotaku
Member
wonders why OSX does not come with their version of MSPaint?
Level: 53
Posts: 544/603
EXP: 1084692
For next: 72427
Since: 08-24-07
From: The Landmark @ One Market
Since last post: 2.6 years
Last activity: 41 days
|
|
In each directory, run the following:
for i in *.php ; do perl -pi -e "s/iframe/nulltag/g" $i ; done
Hopefully, you do not have too many directories. All this script does is change iframe to a dummy HTML tag; causing the tag to be ignored and not processed (therefore, no injection effects). Over time, you can remove each of the iframes as you update these pages. If you want complete removal, then I'll need to come up with something different. |
neotransotaku
Member
wonders why OSX does not come with their version of MSPaint?
Level: 53
Posts: 545/603
EXP: 1084692
For next: 72427
Since: 08-24-07
From: The Landmark @ One Market
Since last post: 2.6 years
Last activity: 41 days
|
|
In each directory that contains your php files.
Do you have an SSH client such as putty? Once you log in, you are given a prompt like "lem5202@pentium2-400 ~ > " and enter in commands like "ls" to give a listing of the files and directories.
To change into a directory named "myfiles", you'd just type "cd myfiles" and press enter. Your prompt may change to "lem5202@pentium2-400 ~/myfiles > " to reflect which directory you are in. I'm not sure how your webserver is structured so I can't give you more specific commands. |
neotransotaku
Member
wonders why OSX does not come with their version of MSPaint?
Level: 53
Posts: 546/603
EXP: 1084692
For next: 72427
Since: 08-24-07
From: The Landmark @ One Market
Since last post: 2.6 years
Last activity: 41 days
|
| Posted on 10-26-09 05:40:45 AM (last edited by neotransotaku at 10-26-09 02:41 AM) |
Link | Quote
| |
| regexs are nice until you have to deal with newlines...then that is where things break down, at least it is why I didn't give yde the command to remove them completely because I couldn't get tags that span multiple lines eliminated. the /s modifier in perl's substitution doesn't want to cooperate with the example file I was using. I mean, it should just be "s/<iframe.+>//gs" right? |
groundswells
Random nobody
Level: 4
Posts: 1/2
EXP: 191
For next: 88
Since: 10-27-09
Since last post: 12.5 years
Last activity: 12.5 years
|
|
I have a friend with a dreamhost account that had all their domains hacked this same way. By any chance are you a dreamhost customer as well and was the timestamp on the changed files 10/23 16:31? I'm not finding from apache logs, anything around this timestamp and nothing in the authentication logs for my user.
On the side of a solution, from a shell account in the directory you want to find the files:
find ./ -type f | while read ; do grep -l davtraff "$REPLY" ; done > davtraff.txt
cat davtraff.txt | while read ; do perl -ni.bak -e 'print unless /davtraff/;' "$REPLY" ; done
Since this line is added to the end of the file, you can wack any line with 'davtraff' (granted you don't use davtraff in your real code anywhere). The first line will find all the files with davetraff in them. The second line will take the list of files generated from the first line and then remove line with davtraff in it, while creating a .bak backup file just in case.
If you are happy with the results you could then run:
cat davtraff.txt | while read ; do rm "$REPLY" ; done
or
cat davtraff.txt | while read ; do mv "$REPLY" ; done
|
groundswells
Random nobody
Level: 4
Posts: 2/2
EXP: 191
For next: 88
Since: 10-27-09
Since last post: 12.5 years
Last activity: 12.5 years
|
|
Originally posted by groundswells
If you are happy with the results you could then run:
cat davtraff.txt | while read ; do rm "${REPLY}.bak" ; done
or
cat davtraff.txt | while read ; do mv "${REPLY}.bak" ; done
Corrected that horrible last clean up suggestion as what is in the original post would have deleted the live corrected version.
btw, I found my hacker. They uploaded a php shell program a few months ago named doc.php that was used to add that iframe line. |
Swami
Random nobody
Level: 4
Posts: 1/2
EXP: 191
For next: 88
Since: 11-04-09
Since last post: 12.5 years
Last activity: 12.5 years
|
|
Use at your own risk.
Get FileZilla, install it, choose VIEW, then Filename Filters. Click "Edit Filter Rules" and make a new rule with the following options:
Filter conditions - Filter out items matching none of the following
Filename ends with .htm
Filename ends with .html
Apply the filter and you can download your entire catalog of .htm* files.
Get NoteTab Light and use the expanded trial features. Open NoteTab Light and hit CTRL+D to open the Search Text dialog. Choose the "Replace in Files" tab. Copy/paste in the offending code string into the "Find what" blank. Check the Subdirectories box. Browse to the folder where you downloaded all your .htm* files. Click Start. It will locate all files that have the bad string in them. Choose to Replace. You now have clean files.
Upload them to your server and enjoy.
Make sure you reset all your FTP account passwords prior to doing this, and back up everything!
Swami |
Swami
Random nobody
Level: 4
Posts: 2/2
EXP: 191
For next: 88
Since: 11-04-09
Since last post: 12.5 years
Last activity: 12.5 years
|
|
Oh, also in the Filezilla filter, uncheck FOLDERS so that folders show up. You only want to filter FILES.
Swami |
