[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 583
  • Last Modified:

Regex to remove certain lines from files

My friends website was infected with malware.

I need a regex to get rid of this line--
<!--c3284d-->MALWARE CODING HERE<!--/c3284d-->

MALWARE CODING HERE is obviously different on each file, but there is always a beginning and ending malware coding starting with <!--c3284d--> and ending with <!--/c3284d-->


However, there are a couple more types I've seen:

/*c3284d*/
malware coding here
/*/c3284d*/

and

#c3284d#
malware coding here
#/c3284d#


as well.. Could anyone assist with a regex that can remove anything in these three, including the actual <!--c3284d--><!--/c3284d--> etc for example?

Thanks!
0
Valleriani
Asked:
Valleriani
  • 4
  • 3
1 Solution
 
Terry WoodsIT GuruCommented:
Which operating system are you using? In my experience Perl in a *nix environment is the easiest way to do substitutions on multiple files.
0
 
Terry WoodsIT GuruCommented:
Warning: before doing any of this, please make a backup of your files!

This worked for me in testing (in Debian Linux). The command just prints out what you want the file contents to be, so doesn't actually change anything permanently (you can use this for testing).

perl -p0777 -e 's/<!--c3284d-->.*?<!--\/c3284d-->|\/\*c3284d\*\/.*?\/\*\/c3284d\*\/|#c3284d#.*?#\/c3284d#//sg' target_file.html

Open in new window


To actually change the file permanently, just add a -i parameter:
perl -p0777 -i -e 's/<!--c3284d-->.*?<!--\/c3284d-->|\/\*c3284d\*\/.*?\/\*\/c3284d\*\/|#c3284d#.*?#\/c3284d#//sg' target_file.html

Open in new window


I've just targeted a single file target_file.html but you can target more files within the same dir by using *.php or similar.
0
 
VallerianiAuthor Commented:
One question, if there a way to use it from more then just the same dir? It works GREAT on files though in the dir.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
Terry WoodsIT GuruCommented:
If you don't have spaces in the filenames or directories, then you could use a find command like this:
perl -p0777 -e 's/<!--c3284d-->.*?<!--\/c3284d-->|\/\*c3284d\*\/.*?\/\*\/c3284d\*\/|#c3284d#.*?#\/c3284d#//sg' `find . -name "*.html"`

Open in new window


When I have spaces in files/directories, I tend to use this format for the command (eg for chmod):
find . -name "*.html" -exec chmod g+w {} \;

Open in new window


Using that technique with perl gives this command:
find . -name "*.html" -exec perl -p0777 -e 's/<!--c3284d-->.*?<!--\/c3284d-->|\/\*c3284d\*\/.*?\/\*\/c3284d\*\/|#c3284d#.*?#\/c3284d#//sg' {} \;

Open in new window


It seemed to work ok in my testing. You just need to modify the parameters to the find command to target the files you want, and add the -i parameter to perl to commit the changes.
0
 
VallerianiAuthor Commented:
You just saved me hours of malware coding removal manually, and I greatly am thankful for the code!
0
 
Terry WoodsIT GuruCommented:
Thanks for the points, and I'm really glad you had Linux to work in (Windows isn't nearly as friendly when it comes to solving these issues)!

If you haven't already, you might also like to try running a search something like this to pick up any tag types you might've missed:
find . -name "*.html" -exec grep -H c3284d {} \;
0
 
VallerianiAuthor Commented:
Ahh that is a great idea too, just to make sure I got it all.

Thanks mate!
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now