Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
thousands of files have a malicious script added inside PHP files. I have tried to remove the code
I hope you took measures to prevent that from happening again. Plugging holes should start by finding out how the culprit came in (stolen FTP credentials, SSH brute forcing lame password) or how the abuse else could have happened (lackadaisical access permissions, vulnerable software versions) and could mean installing the newest version of any shopping cart, web log, statistics, web site, forum or plugin or other software in your web stack you use, and removing versions (and installation files) of software that is no longer maintained by its developers. (And if your "thousands of files" are the result of self-coded work then consider using a tool that is safe to use instead.) If you have not done any of the above then I suggest you do that before thinkng about trying to revert back changes. If holes are left unplugged chances are those malicious changes will be back before you can say " *** Yay! All Done! *** ".
Quote:
Originally Posted by seabro
I think the problem is due to use of special characters in the string I am searching for.
While we can't have members post malicious code here but I wouldn't mind you passing it on to me via email. But code excerpt only please. If you manage to blithely send me a complete web page with like 1 line of malicious script code you simply won't get any reply back.
I hope you took measures to prevent that from happening again. Plugging holes should start by finding out how the culprit came in (stolen FTP credentials, SSH brute forcing lame password) or how the abuse else could have happened (lackadaisical access permissions, vulnerable software versions) and could mean installing the newest version of any shopping cart, web log, statistics, web site, forum or plugin or other software in your web stack you use, and removing versions (and installation files) of software that is no longer maintained by its developers. (And if your "thousands of files" are the result of self-coded work then consider using a tool that is safe to use instead.) If you have not done any of the above then I suggest you do that before thinkng about trying to revert back changes. If holes are left unplugged chances are those malicious changes will be back before you can say " *** Yay! All Done! *** ".
While we can't have members post malicious code here but I wouldn't mind you passing it on to me via email. But code excerpt only please. If you manage to blithely send me a complete web page with like 1 line of malicious script code you simply won't get any reply back.
Hi,
The problem was with an old piece of gallery software I no longer use. It has since been removed.
The code is shown in my original post although that is not the only part of the attack. I had some tmp_xxxx.php files created and modifications to .htaccess.
The problem has been plugged, I just need to clean my .php files now.
The problem was with an old piece of gallery software I no longer use. It has since been removed.
Good, good.
Quote:
Originally Posted by seabro
The code is shown in my original post
No, I meant the code that latched itself onto your PHP files. Although the "for" loop part could use some work as there's no need for temp files or replacement string and a "while" loop works better if there's any spaces in file names:
Code:
grep -l -R "$searchterm" "$startdirectory" 2>/dev/null| while read ITEM; do sed -i "s|$searchterm||ig" "${ITEM}"; done
I just encountered Seabro's issue and manage to find this thread. Unspawn or Seabro, could you pls share the code that can wipe it off? Damn turnitupnow..
Its been a while since this happened to me but I believe I ended up using 'sed'
Check it out, it can run through a load of files and modify the contents. I used it simple to remove the unwanted code. They is probably another way which is much better but 'sed' worked for me.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.