Re: Need to remove line of code from 1800+ files

[Ray E. <rescamilla@xxxxxxxxxxxxxxxxxxxxxxxx>]

On Fri, 05 May 2006 15:12:59 +0100, Roy Schestowitz
<newsgroups@xxxxxxxxxxxxxxx> wrote:

>__/ [ Ray E. ] on Friday 05 May 2006 15:02 \__
>
>> A gaming site that runs phpnuke got hacked. They were not up to patch
>> on some of the modules.
>> 
>> The hack inserted one line of code that opens an iframe linking to a
>> pay-per-view ad service. The hacker gets $.05 for every page view.
>> 
>> Anyway, the line was added to the bottom of every index.html and
>> index.php file in every directory on the server. There are over 1800
>> directories affected.
>> 
>> Does anybody know where I can get a script that will browse every
>> directory and remove every line of offending code? They do have ssh
>> access to the server.
>> 
>> Thanks,
>> 
>> -Ray
>
>Hi,
>
>Is there any pattern that precedes the stuff that needs to be removed?

Yes, this is the line of code inserted into every index.html and .php:
"<html><iframe src=http://neoffic.com/t/?id=roberto width=0 Sheight=0
frameborder=0 Sscrolling=no></iframe></html>"

>Regardless:
>
>Put the following file in a given directory (let us assume the top level of
>your home directory):
>
>,----[ global ]
>|         # global - execute command in all subdirectories
>| 
>|         exec 3<&0               # save standard input
>|         find . -type d -print | # print all directory names
>|             while read dirname
>|             do
>|                 (cd $dirname
>|                 exec 0<&3       # restore standard input
>|                 "$@"            # run command
>|                 )
>|             done
>|         exec 3<&-               # close file descriptor
>`----
>
>Now run:
>
>,----[ Command ]
>| chmod 755 ~/global
>`----
>
>Create yet another file:
>
>,----[ remove-junk ]
>| # Remove junk
>| 
>|         find . -maxdepth 1 -type f -name '*.html' -print |
>|           while read filename
>|           do # print all filenames
>|                 (
>|                 sed 's/[JUNK]/ /i;' $filename >$filename.xxxxx
>|                 mv $filename.xxxxx $filename
>|                 # replace output files with original
>|                 )
>|         done
>`----
>
>Replace [JUNK] with what you wish to throw away and again:
>
>,----[ Command ]
>| chmod 755 ~/global
>`----
>
>Go to the parent directory of where the site or its mirror resides. Execute:
>
>,----[ Command ]
>| ~/global ~/remove-junk
>`----
>
>Notes:
>
>        * handles the .html suffix only (modify to generalise)
>        * ensure pattern does not match any other code which you do not wish
>          to have removed.
>
>
>Hope it helps,
>
>Roy