Posted on Monday, 5th October 2009 by Michael
Years ago I was big into web hosting and was constantly offering my services to hosts to correct security issues and clean up other issues. One day I found a post where a hosting company had every .php .html .htm and so on page infected with malicious code through a security breach. After finding and securing the original breach I wrote this peace of code to go through the system finding all web based files that contained the infectious code and removed it from the pages. I am now publishing the code on my site for others to use: (WARNING I would not just copy and use this code without some knowledge and backing up your system. Some tweaks may be needed to help you with your issue.)
CODE:
#!/bin/sh
> .tmp
find /home/ -name \*.php >> php.txt
find /home/ -name \*.html >> php.txt
find /home -name \*.htm >> php.txt
for infected in $(cat php.txt)
do
if grep "http://www.domainstat.net/stat.php" $infected > /dev/null; then
echo "$infected is infected now cleaning"
sed -f clean $infected > .tmp ; mv .tmp $infected
echo "$infected cleaned"
else
echo "$infected is not infected: moving on"
fi
done
> php.txtThe below code is the clean script that I reference:
s/< ? echo "<script language='JavaScript' type='text\/javascript' src='http:\/\/www.domainstat.net\/stat.php'>< \/script>"; ?>//
s/<script language='JavaScript' type='text\/javascript' src='http:\/\/www.domainstat.net\/stat.php'>< \/script>//
The code above is a shell script written to search /home (this was written for a cpanel server, most Linux servers store web files in /var/www/html) for files that have common web extensions. Once it lists all the files into a file called php.txt it then greps through each file looking for the infectious code. If it finds the code it copies the page to a tmp file, uses sed to remove the infectious code and then renames the tmp file back to the original.
If you have any questions or concerns please feel free to post a comment.
Posted in Code | Comments (0)