Deleting inserted content in multiple files on linux server

Question

I often have problem with sites that get hacked. Usualy they end up with inserted script in different files. Is there a way, on linux, to search for this content and automaticaly delte it ? Usualy this content starts with, and ends with something like this.

<!--2d3965--><script type="text/javascript" language="javascript">
</script><!--/2d3965-->

Would it be possible to use some kind of combination of grep to search for files containing this content and then pipeing it to sed to delete everything from

to

Answer 1

I wrote such script, it could be useful.

#!/usr/bin/env python
import os
import sys


for infile in sys.argv[1:]:
    print infile
    filetmp=infile+'.tmp'
    BEGIN='<!--2d3965-->'
    END='<!--/2d3965-->'
    f = open(infile, 'r')
    ftmp = open(filetmp, 'w')
    skip=False


    for line in f:
        if BEGIN in line:
            #print line.partition(BEGIN)[0]
            ftmp.write(line.partition(BEGIN)[0])
            skip=True
        if END in line:
           #print line.partition(END)[2]
            ftmp.write(line.partition(END)[2])
            skip=False
        else:
            if not skip:
                ftmp.write(line)
    #you can add save restrictions here
    os.rename(filetmp, infile)

You should give:

1. filename with virus
2. string, which marks virus begin string

3. string, which marks virus end

   Don't forget to change permissions back, if file requires it. btw, I think, it's appliable only for text files.

Please test it, and backup before using.

Use it in this way:

python cleaner.py index.html js/jquery.js

Answer 2

I would add this files into subversion or git and automatically compare the official version of this files with the files on the sites on a regular basis. If you see a difference you know you had been hacked and can search for the leak. Meanwhile you then can restore the original file from the versioning tool.