replace a specific string in a set of files

Discussion in 'Programming/Scripts' started by kvr001, Oct 15, 2010.

  1. kvr001

    kvr001 New Member

    My webbox got hacked and in all .js files I want to delete a specific string.

    The string I want to replace is the following:

    document.write('<sc'+'ript type="text/javascript" src=""></scri'+'pt>');

    I succeeded in having a complete list of files that contains this string by issuing the following command:

    grep -rl "document.write('<sc'+'ript type=\"text/javascript\" src=\"\"></scri'+'pt>');" .

    now I want to invoke the sed command for each of the files but there the system refuses to work because of the regular expression the 's' parameter is expecting.

    normally the complete command would be:

    gerp -rl oldstring . | xargs sed -i -e 's/oldstring/newstring/'

    but since there are a lot of non alphanumeric chars in the "oldstring" the system refuses... any ideas to solve this?
  2. HellMind

    HellMind Member

    Im hacked too :(
    Did you find how the worm gain access?
    how its called?
    Last edited: Oct 18, 2010
  3. HellMind

    HellMind Member

    This code remove the last line of every .js file that got that url.

    files=`grep -rl "" --include=*.js .`
    for file in ${files[@]}
    sed '$d' $file > tmp
    mv tmp $file
  4. HellMind

    HellMind Member

    There are many others domains like chargecardsystemsla that need to be removed.
    but I still didnt discover how the worm get in .
    I think it was a file from a crack that sniff ftp password
  5. kvr001

    kvr001 New Member

    It was indeed an attack via ftp access... probably sniffed passwords.

    I used following commands to cleanup the complete htdocs folder recursively:
    Those were the urls I found on my box... maybe other domains were also used. Via the ftp logs I found out which files were altered and from those I derived the urls.

    The command looks for files which have the url inside (grep), and then removes the line with this url from that file (sed -i -e /url/d).

    Hope this can help.

    - - - - - - - - - - - - - - - - - - - - - -

    grep -rl "" . | xargs sed -i -e /

    grep -rl "d79b570e8c8ae7c1acdea199b5d43e66" . | xargs sed -i -e /d79b570e8c8ae7c1acdea199b5d43e66/d

    grep -rl "" . | xargs sed -i -e /

    grep -rl "" . | xargs sed -i -e /

    grep -rl "c74e3e9a551334df2b26f65cbe9d27b0" . | xargs sed -i -e /c74e3e9a551334df2b26f65cbe9d27b0/d
  6. drcelus

    drcelus New Member

    add 1 to the list of hacked sites :eek:

    The files where also uploaded via ftp.

    Just curious, which ftp software where you using ?
    I wonder if the trojan seeks for a specific password file ...
    FileZilla for example stores passwords in clear text.
  7. HellMind

    HellMind Member

    I was using total commander
    it store the password encrypted on a ini
  8. kvr001

    kvr001 New Member

    FileZilla it was... and indeed, passwords are stored in an xml file in plain text
  9. drcelus

    drcelus New Member

    The passwords in TC are in fact obfuscated but not encrypted, and from a trojan point of view, they are as insecure as a clear text file.
  10. jammedia

    jammedia New Member


    Seems I've also been attacked!! Could you direct me a little on exactly where to add the scripts you mentioned to remove the js line? i.e where to put the commands!

    Many thanks :)
  11. drcelus

    drcelus New Member

    You must put those commands on console.
    If you don't know this means, you will do better restoring a full backup of the site.
    And obviously change the ftp password.


Share This Page