0

Some stupid monkeys wasted their and my time infecting one of our websites. Now, it seems that the website has been compromised via ftp and a whole bunch of files have been infected. Having changed the ftp credentials, my idea now was to run find and sed to get rid of the code:

find . -type f -exec sed -i 's/term-to-search-for//g' {} \;

Now I need some help with the regex. The script starts with <script> then there is some JS-code, then there's always a variable called egbserb (which is never used elsewhere) and there's the closing tag (</script>). Two questions:

  1. This is what I tried: script*egbserb*script (keep it stupid simple), but it didn't work out.
  2. If the code is written over more lines, how would I have to write the regex then?

Thanks a lot in advance!

Isaac
  • 10,668
  • 5
  • 59
  • 68
Jan
  • 42,290
  • 8
  • 54
  • 79
  • 1
    can you give sample line(s) that you want to remove ? – Nehal Dattani Oct 16 '12 at 20:21
  • Can't you go back to your version control system and recreate the site from that? – Jonathan Leffler Oct 16 '12 at 20:22
  • Nope as the backups seem to be infected as well (in fact, they are). – Jan Oct 16 '12 at 20:23
  • I don't want to post the code here but it can been found as a text file at https://paywithasocialpost.com/repair/monkey-code.txt – Jan Oct 16 '12 at 20:25
  • 1
    this gets asked several times each month here. Unfortunately the descriptions are all unique, but many people hope to use sed. Search here and maybe you'll luck out. Basically it's really, really hard. Perl makes it a little easier. Good luck. – shellter Oct 16 '12 at 21:20
  • `paywithasocialpost.com contains malware`. Can you upload a clean, safe example/sample file to something like [dropbox](https://www.dropbox.com/) or [mediafire](http://www.mediafire.com/)? – Steve Oct 16 '12 at 22:49
  • possible duplicate of [Clean server infected with c3284d virus, using search and replace](http://stackoverflow.com/questions/11490744/clean-server-infected-with-c3284d-virus-using-search-and-replace) – tripleee Jan 08 '13 at 10:08

2 Answers2

0

Following should help you. (Assumption: I am working on test_regex file)

sed -r -i "s/.*ebgserb.*//g" test_regex
sed -r -i "s/.*split\(\"\&\&\"\).*//g" test_regex
Nehal Dattani
  • 933
  • 6
  • 15
0

I faced a similar issue and I used this successfully. You can use this Perl script:

#!/usr/bin/perl

use strict;
use warnings;
my @arr;
my $start;
my $flag=1;
open (MYFILE, 'temp');

while (<MYFILE>) {
if($flag!=0)
{
push(@arr,$_);
}
                if(/<\/script>/)
                {
                $flag=1;
                }
                if(/<script>/)
                {
                $start=scalar(@arr);
                }
          if(/ebgserb/)
          {
          delete @arr[$start-1..(scalar(@arr)-1)];
          $flag=0;
          }
}
print "@arr";
close(MYFILE);
halfer
  • 19,824
  • 17
  • 99
  • 186
Vijay
  • 65,327
  • 90
  • 227
  • 319