Bash script to remove string from all text files, recursively
ProgrammingThis forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Bash script to remove string from all text files, recursively
Hi,
sorry for bothering, I've tried to search on the forum and with Google but I haven't found anything useful; I believe it's just me that can't put 2 and 2 together.
Long story short: someone hacked my hosting space and added this code: http://pastebin.com/wqrLXUG4 in the first line of all text files (i.e. .php and not only), and I'm trying to find a way to remove it with a bash script without having to manually check every single file in my web space.
What I'd like to achieve is to run this script in the root folder of my account and make it delete this code from all text files in all the various folders and subfolders.
Unfortunately, that code is not the only thing in the first line, since it's simply appended before the text of the actual first line of the file, so I can't just remove the first line from every text file, otherwise I'll delete the good code in the first line of the file, too.
I've never really understood the syntax for regexps and I've little to none knowledge of bash scripting, so I really need a help with this, thanks.
find . -type f -exec sed -i '1s#PATTERN##' "{}" \;
It would be better to replace the files from local copies. Also, determine how you are vulnerable. Permissions, remote file inclusion, configuration errors, etc.
A post at the top of the LQ Security forum has a link to a check list you should read, about how to procede investigating the breach, and securing your site.
Last edited by jschiwal; 04-27-2012 at 12:30 AM.
Reason: matched single and double quotes.
oops ... my bad .. I simply thought the 2 might go together, ie. only look at the first line and delete if it matches the pattern. My thinking was, as opposed to your second suggestion
which might remove the first line from an unaffected file, to combine the two and delete ... obviously (now that I tested it) that does not work
Sorry OP ... ignore me ... the missus does when I am daft
find . -type f -exec sed -i '1s#PATTERN##' "{}" \;
mmm... I'm not sure I've understoond this. I've replaced PATTERN with the code string, but I get an error, something like (it's in Italian, I'm translating):
sed: expression -e #1, char 7318: Previuos regular expression not valid
which part of your code should I actually replace with the code string of the hack?
Quote:
Originally Posted by jschiwal
It would be better to replace the files from local copies. Also, determine how you are vulnerable. Permissions, remote file inclusion, configuration errors, etc.
A post at the top of the LQ Security forum has a link to a check list you should read, about how to procede investigating the breach, and securing your site.
I know, and I'll surely investigate and probably replace the files, but until I find the time, I think this can be a good solution. Delete that code everywhere, and then make a search everywhere with grep of find to see if something have been left behind.
For the others: thanks, but as I said I can't just delete the first line entirely.
Could you post sample text in [code] blocks and disable url parsing in the options? The & symbol for instance is a meta-character which needs to be escaped.
Copy one of the files and test your sed command on it before usng it on the server.
Because urls contain slaashes, I used hashes instead. Nearly any pair of characters will work. If the url contains a hash, escape it or use something else..
I'd rather not put the sample on the forum, basically because it's very long and I don't want to mess up the thread. Anyway, you find an example of a hacked file here: http://pastebin.com/uV6JXNVb
There are no hashes or ampersands on the hack code.
Just to be more clear, what I've done is to replace your PATTERN (not the hashes, too, just PATTERN) with everything between the first <?php ?> tags, tags included.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.