A virus changed all my index files with iframe, how to remove that iframe line?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Substitute /source/path with the path of the directory from which you want to begin the search and the trick is done. Note that -print0 and -0 are options to manage file names with spaces, but most likely is not needed in this case.
...also note you can use another separator (pipe symbol?) to avoid having to escape chars in use. Prevention partially depends on the security posture of the machine: exposing services to world that should not be, misconfiguring software, running stale, vulnerable software versions and anything that basically is crappy coded doesn't help.
If somebody is changing your code, it means your machine is compromised.
Editing bad code out of your php files is not going to help you. They'll just change it back.
You need to take the machine offline NOW (as it is probably sending spam, or worse) and raise this in the security forum of LQ where better people than I can give you the help you need to find out how they got past your security, and how to reinstall and harden your system.
Substitute /source/path with the path of the directory from which you want to begin the search and the trick is done. Note that -print0 and -0 are options to manage file names with spaces, but most likely is not needed in this case.
i get nothing, "stuffloa" is my site which is in /home.
Where can be the problem?
Quote:
Originally Posted by tredegar
If somebody is changing your code, it means your machine is compromised.
Editing bad code out of your php files is not going to help you. They'll just change it back.
You need to take the machine offline NOW (as it is probably sending spam, or worse) and raise this in the security forum of LQ where better people than I can give you the help you need to find out how they got past your security, and how to reinstall and harden your system.
I've asked for this thread to be moved.
About 8 hours before my server attacked, I removed the line from several files at that time, till now it is ok, i mean it's not changed back to viral infected, So I will tight the security later, but for now I should clean all the infected files.
So which command should I use to remove the entire line from all of the files?
If more information needed about my server or paths, I can provide.
Does that mean you logged in over SSH as root account user?
Quote:
Originally Posted by Farman
About 8 hours before my server attacked, I removed the line from several files at that time, till now it is ok, i mean it's not changed back to viral infected, So I will tight the security later, but for now I should clean all the infected files.
No, it's not a choice you make. You have to (and can) do both simultaneously.
i get nothing, "stuffloa" is my site which is in /home.
Where can be the problem?
Apart the security concerns that I leave to unSpawn and other members more expert than me... what do you mean for "I get nothing"? That command should not give any standard output, just removes the line from the index* files. Note the -i option of the sed command: it means "edit the file in place".
Before actually running a command suggested by someone, do some test: copy one of the files containing that line in a dummy directory and test the command to see if it works. Once you've verified that it is free from bugs/errors and it does what you expect, you can safely run it on the true files.
Apart the security concerns that I leave to unSpawn and other members more expert than me... what do you mean for "I get nothing"? That command should not give any standard output, just removes the line from the index* files. Note the -i option of the sed command: it means "edit the file in place".
Before actually running a command suggested by someone, do some test: copy one of the files containing that line in a dummy directory and test the command to see if it works. Once you've verified that it is free from bugs/errors and it does what you expect, you can safely run it on the true files.
Thanks all once again for your kindness.
Oh I'm so sorry Colucix, I checked it and worked perfectly.
Now the question is How Can We Prevent this type of Attack?
Your machine is now operated by someone else, not you. You should stop worrying about some string replacement scripts. You need to REINSTALL your server from trusted sources (CD burned on another machine) and set it up securely BEFORE RUNNING INTERNET SERVICES ON IT.
Nice. Usually it's me saying that sort of thing and phrasing it like that. However...
Quote:
Originally Posted by r0b0
Your machine is now operated by someone else, not you. You should stop worrying about some string replacement scripts. You need to REINSTALL your server from trusted sources (CD burned on another machine) and set it up securely BEFORE RUNNING INTERNET SERVICES ON IT.
Could it be you're mistaking a compromise of the root account with malarky on the service level? (Not that that is innocent if left as is.) In the Linux Security forum we deal with facts, so if you think a compromise of the root account has happened, wouldn't it be appropriate to ask the OP to collect data that supports your idea before telling him to wipe his machine? And even if there was a root account compromise, wouldn't he be heading for the same situation if he didn't know the intrusion vector?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.