Hi, guys, I'm not a high-end programmer, but I've been trying to write a script to remove all of the b.rtbn2.cn (and b.adserv.cn and any future variation) injected script tags on the server. (Still working on security fixes to prevent it in the future, just need to clean up now.)
My approach is 2 parted. First, make a file listing all of the filenames of infected files. Second, feed that file to a find/replace script. I want this to be a script file I can just run in the future with no modifications.
In March I figured out how to make a file listing all of the infected files and it worked fine, but when I ran it again this month after another malicious script injection, it's only finding the infected files in some of the directories instead of all of them. (If I change the directory to search a specific directory in /home/infecteddirectory then it finds it, but if I run it to search /home it doesn't find any in the above directory at all and I don't understand why. (It found some of the files in sub directories, but not in other sub directories.)
First part: Find all infected files in /home. The first one is the original line from March (worked then but not now) and the second on is the one modified to hopefully find all variations in May:
find /home -exec egrep -q "b.rtbn2.cn|b.adserv.cn" '{}' \; -print 2>/dev/null >infected_files_march2009 &
find /home -exec egrep -q "b\.([0-9]|[A-Z]|[a-z])+\.cn" '{}' \; -print 2>/dev/null >infected_files_may2009 &
Either one seems to be finding /home/infecteddirectory1 but then skipping /home/infecteddirectory2. Not sure why it's not listing all files in all subdirectories that are infected, please let me know if you see any scripting errors in the above code. It's like it's only doing a partial recursive and randomly stopping in the middle and saying it's done.
Second Part: I need help getting the sed/while do part to work. It currently doesn't work, but I can't quite figure out why. This first version is only looking for b.rtbn2.cn and not the any variety of b.something.cn. I wanted to get this working and then try to add the variable part, but I'm lost. I would like it just to leave the <script></script> part and take out the src="http://b.rtbn2.cn" part. (I found out if you leave the script tags in then the hacking program doesn't put them back in if it hits again.
cat infected_files_may2009|while read line ; do sed -i"s#<script src='http:\/\/b\.rtbn2\.cn\/E\/J\.JS'>##g" $line ;
Any help getting this to work would be greatly appreciated. I did search the boards, but didn't find an example close enough for me to follow.
Thanks!