On Fri, 05 May 2006 15:12:59 +0100, Roy Schestowitz
<newsgroups@xxxxxxxxxxxxxxx> wrote:
>__/ [ Ray E. ] on Friday 05 May 2006 15:02 \__
>
>> A gaming site that runs phpnuke got hacked. They were not up to patch
>> on some of the modules.
>>
>> The hack inserted one line of code that opens an iframe linking to a
>> pay-per-view ad service. The hacker gets $.05 for every page view.
>>
>> Anyway, the line was added to the bottom of every index.html and
>> index.php file in every directory on the server. There are over 1800
>> directories affected.
>>
>> Does anybody know where I can get a script that will browse every
>> directory and remove every line of offending code? They do have ssh
>> access to the server.
>>
>> Thanks,
>>
>> -Ray
>
>Hi,
>
>Is there any pattern that precedes the stuff that needs to be removed?
Yes, this is the line of code inserted into every index.html and .php:
"<html><iframe src=http://neoffic.com/t/?id=roberto width=0 Sheight=0
frameborder=0 Sscrolling=no></iframe></html>"
>Regardless:
>
>Put the following file in a given directory (let us assume the top level of
>your home directory):
>
>,----[ global ]
>| # global - execute command in all subdirectories
>|
>| exec 3<&0 # save standard input
>| find . -type d -print | # print all directory names
>| while read dirname
>| do
>| (cd $dirname
>| exec 0<&3 # restore standard input
>| "$@" # run command
>| )
>| done
>| exec 3<&- # close file descriptor
>`----
>
>Now run:
>
>,----[ Command ]
>| chmod 755 ~/global
>`----
>
>Create yet another file:
>
>,----[ remove-junk ]
>| # Remove junk
>|
>| find . -maxdepth 1 -type f -name '*.html' -print |
>| while read filename
>| do # print all filenames
>| (
>| sed 's/[JUNK]/ /i;' $filename >$filename.xxxxx
>| mv $filename.xxxxx $filename
>| # replace output files with original
>| )
>| done
>`----
>
>Replace [JUNK] with what you wish to throw away and again:
>
>,----[ Command ]
>| chmod 755 ~/global
>`----
>
>Go to the parent directory of where the site or its mirror resides. Execute:
>
>,----[ Command ]
>| ~/global ~/remove-junk
>`----
>
>Notes:
>
> * handles the .html suffix only (modify to generalise)
> * ensure pattern does not match any other code which you do not wish
> to have removed.
>
>
>Hope it helps,
>
>Roy
|
|