I have been hacked :-( Could you help with a script to clean my files.

[seabro]

Hi all,

I have had my website hacked and thousands of files have a script added. I have tried to remove the malicious code using a script I located online but it fails. I think the problem is due to the search string containing special characters?

Here it is, if you could help me make it work I would be very grateful.

(I have not been allowed to input the entire search string as linuxforums thinks it is an URL so I have just included one line).

# ************************************************** ***************************************
# find_and_replace_in_files.sh
# This script does a recursive, case sensitive directory search and replace of files
# To make a case insensitive search replace, use the -i switch in the grep call
# uses a startdirectory parameter so that you can run it outside of specified directory - else this script will modify itself!
# ************************************************** ***************************************
!/bin/bash
# **************** Change Variables Here ************
startdirectory="/path/to/public_html/"
searchterm="setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_ f."';</script>"; } } else { if($_COOKIE[$sessdt_k]=="102") "
replaceterm=""
# ************************************************** ********

echo "******************************************"
echo "* Search and Replace in Files Version .1 *"
echo "******************************************"

for file in $(grep -l -R $searchterm $startdirectory)
do
sed -e "s/$searchterm/$replaceterm/ig" $file > /tmp/tempfile.tmp
mv /tmp/tempfile.tmp $file
echo "Modified: " $file
done

echo " *** Yay! All Done! *** "



Many thanks,
sean

[Irithori]

Sorry to say, but this is the wrong approach.

- disconnect that machine from network
- display a maintenance page
- start analysis, how the intrusion happened
- deploy another machine in parallel
- restore config/data from backup to that new machine
- apply fix depending on your analysis
- go live

[seabro]

This is a webserver hosted by Bluehost in the states. I cannot disconnect from network. I cannot deploy another machine in parallel.
I HAVE displayed a maint page.
I DO know how the hack happened and the hole has been CLOSED.
All I need to do is remove the malicious code from the files before I 'go live'

This is very easy when you know how, clearly we do not know how but hopefully someone will be along who does.

[Irithori]

It is your decision how to drive this of course.

First things that come to mind to restore the files to a previous, untainted state:
- backup
- version control (if svn/git/<whatever> is/was in place)

[seabro]

Great - thanks for that.

Anyone else reading, I would be very grateful if you can help with the script.

[Freston]

It's difficult for me to know how to do your task, as I don't know what makes the malicious code in your webpages unique. If them lines contain some unique pattern then you can easily remove those lines from the webpages.


Something like this will find all files under /tmp/public_html, and remove the lines containing the pattern you specify from it. There's no undoing, so only point it at copies of the original files and convince yourself it does what you want.

Code:

cp -r /path/to/public_html /tmp
find /tmp/public_html -type f -exec sed -i '/pattern/d' {} \;

Note that the regex /pattern/ can't deal with patterns spanning multiple lines (well, not without difficulty) and that many non-alphanumeric characters mean something special inside the regex.

So, if for example this: 'sessdt_k' is unique as pattern on all lines of the malicious code, then you can use that as pattern.

If it's more difficult, for example when the malicious code spans multiple lines and doesn't have a unique pattern in each and all of them, then you'll perhaps need some help in creating the correct pattern.

[BoDiddley]

I am a newbie, to Linux (20+ years in IS - mainframes, servers, PC's, LAN)

Freston makes a great point. "What makes malicious code unique". My approach would be "chkrootkit" or something similar to find if a full malicious package has been deployed, and if so - which one. Then go about the cleanup. You can spend 1000 hours chasing needles in a haystack, and not find them all.

Else, you should make everybody aware that they will be experiencing some downtime and go with Irithor's advise. In such a critical position how could you not do adequate backup? (no swearing please).

Basically, what you need is the ability to deploy a backup domain controller. This is where Windows Networking (not desktop), is superior.

[jonkiribati]

Is it a VPS or a Dedicated server or just a shared hosting domain

[jmadero]

honestly doing a full backup and then formatting and reinstalling is the easiest and fastest approach. You would have the server offline for 20 - 30 minutes. I think that's a safer route than continuing to try to make your own script to check where the problem is.

If that's not an option than you should immediately run:

a. anti-virus
b. root kit checker/fixer

I don't get why you'd want to make your own script when there are already so many pieces of software out there. Also by "hacked" do you mean you've had code injected into your code? Do you not have any backups of your code that you can revert to??