• Home
  • About Me
  • Welcome to Short Linux hints
Short hints about Linux


  • Tags

    hacking Linux linux cpanel courier maildir mailbox exim security viruses worms

  • Blogroll

    • Geany
    • Handy one-liners for sed
    • Linux By Example
    • Penguin Tutor

Apr 12

Deleting malicious code from many files

Linux Comments Off

When a hacker / cracker compromises a website there is usually some malicious code inserted in html, php and other files. Usually cleaning it is a 5 minutes job :)

In our case, we will assume the attacker has inserted the following string "<script> bla$%333%blablalalala </script>" at random lines inline in PHP files. Here is an example:

<?php

echo 'Supa site blabla'; <script> bla$%333%blablalalala </script>

include('hackme.php');

?>

No problem to clean this with sed and a simple regular expression:

find -name "*.php" |xargs sed -i 's/<script>.*blabla.*<\/script>//g'

First we find every php file and pass it to sed with xargs. Then sed looks for anything that begins with <script> has anything inside(.*), has blabla somewhere in the middle, again has anything and ends with </script>. The "/" has been escaped with "\" while .* means anything.

The above will work as long as you customize it for your case. You just have to change script's opening and closing tags to anything else the attacker has used to begin and end his stuff.

In my experience I have come upon one problem with such cases. The attacker's script left a blank line between or after his malicious code. When the malicious code is inserted at the end of a php file, this means that php files will have an empty line in the end after cleaning up the malicious code. Then you will get warnings such as "Headers already sent". In this case we will have to delete the last empty lines from all php files using this sed string:

find -name "*.php" |xargs sed -i '${/^$/d}'

However, sometimes hackers / crackers play it hard and insert the malicious code over several lines. In this case sed would not help, because it processes the file line by line. The easiest solution is using this perl script:

$cat multiline-replace.pl

#!/usr/bin/perl
open(INPUT,"<$ARGV[0]") or die;
@input_array=<INPUT>;
close(INPUT);
$input_scalar=join("",@input_array);
# Do your substitution here.
$input_scalar =~ s#\<\?php.*maliciouspattern.*\n.*\n.*?>\n##ig;
open(OUTPUT,">$ARGV[0]") or die;
print(OUTPUT $input_scalar);
close(OUTPUT);

First, the above has been copied almost literary from linuxquesions.org. There are two important things about it:

\<\?php.*maliciouspattern.*\n.*\n.*?>\n is the regular expression which matches (with the escapes):

<?php maliciouspattern :)))
//I am a smart hacker, am not I ;P
?>

I have added an additional \n to the regex because otherwise it leaves a blank line :)

The next thing is that the script looks for the first argument from the standard input. So if you'd like to run the above on all *.php scripts recursively, you should do it like this:

for i in `find -name "*.php"`; do ./multiline-replace.pl $i; done

The above runs the script file by file. It might take a bit longer but it will not exceed the maximum length for a bash variable no matter how many files you have, nor it will cause too high load on the server.

Hopefully this helps you fight those bad people and make the world better ;) Don't forget to make backups because all kinds of crazy stuff happens ;)

Powered by WordPress .::. Designed by SiteGround Web Hosting

cssandhtml