[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 318
  • Last Modified:

using grep and awk to do a global replace how do I do this? NEED HELP ASAP 500 pts

I have had a exploit get loaded to all my web page documents.
Step57 has put a ifram on all my pages.
If I do this grep command:
 grep -rl "step57" *

It will return all the pages with this in it.

How can I do the grep using swk or something like it to remve the iframe line?

NEED HELP ASAP
0
jbrashear72
Asked:
jbrashear72
  • 3
1 Solution
 
pjedmondCommented:
Nice:)

OK - this one is a job for  sed - e.g.s:

 # substitute (find and replace) "foo" with "bar" on each line
 sed 's/foo/bar/'             # replaces only 1st instance in a line
 sed 's/foo/bar/4'            # replaces only 4th instance in a line
 sed 's/foo/bar/g'            # replaces ALL instances in a line
 sed 's/\(.*\)foo\(.*foo\)/\1bar\2/' # replace the next-to-last case
 sed 's/\(.*\)foo/\1bar/'            # replace only the last case

 # substitute "foo" with "bar" ONLY for lines which contain "baz"
 sed '/baz/s/foo/bar/g'

 # substitute "foo" with "bar" EXCEPT for lines which contain "baz"
 sed '/baz/!s/foo/bar/g'

Look here for other examples:

http://www.student.northpark.edu/pemente/sed/sed1line.txt

......but we need to send all the html files through sed .....so

find /var/www/html | grep "\.html$" | gawk '{print "sed /baz/!s/foo/bar/g " $0 " > /newfolder" $0}'

should print out a list of the commands that we want to run....

Basically, it finds all the the files that end with .html, and then carries out whatever sed transalation you want on the files to remove the 'frame', and then copies the resulting output to another folder (the same folder directory, just preceded by /newfolder.

But...at the moment this does not run the commands. In order to do that, you | the commands to a shell (after testign the commands to see that they are exactly what you want):

find /var/www/html | grep "\.html$" | gawk '{print "sed /baz/!s/foo/bar/g " $0 " > /newfolder" $0}' | /bin/bash

...and there you go!

You will then need to build up a similar command to move all of the correctly modified files (after checking) and overwrite the corrupted files. Something similar to:

mv /newfolder /www

find /www | grep "\.html$" | gawk '{print "mv " $0 " > /var" $0}' | /bin/bash

should do the job:) Remember check results carefully for one line first before running against all your files, AND make a backup before you do anything that you are worried about!  You need to look at the examples, and the line structure in the infected html and find an appropriate sed construction to do what you want.

HTH:)



0
 
jbrashear72Author Commented:
Is there a shorter answer?
0
 
pjedmondCommented:
If you read through it carefully, you'll see that the majority is explanation. All you need is:

find /var/www/html | grep "\.html$" | gawk '{print "sed /step57/d " $0 " > /newfolder" $0}' | /bin/bash

scan all .html files and delete the line containing step57, and copy the resulting file to /newfolder

find /newfolder | grep "\.html$" | gawk '{print "mv " $0 " > /var" $0}' | /bin/bash

Copy the corrected files over the old corrupted ones. (2 lines  :)   )

Obviously make a backup before trying this:)

HTH:)



0
 
pjedmondCommented:
Obviously correct the folders to put the new files where you want them, or set to over-write the originals. This may depend on your distribution. The above was for a RHEL server
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now