[ubuntu-uk] Automating find and replace
Bruno Girin
brunogirin at gmail.com
Tue Sep 16 22:01:05 UTC 2014
Assuming the offending line is always the same, here's what I would do:
Create a file called evil-hack where you copy the offending line, then run
a script like this:
find . -name "*.php" -print | while read f; do
cp $f $f.hacked
grep -f evil-hack -F -v $f.hacked > $f
done
So to unpack those few lines:
find . -name "*.php" -print => will find all the *.php file in the folder
tree from current location
| while read f; do => will execute the code between do and done for each
file, using f as the variable that contains the name of the file
cp $f $f.hacked => copy the *.php file to *.php.hacked
grep -f evil-hack -F -v $f.hacked > $f => here the meat of it that applies
grep to *.php.hacked and redirects the output to *.php (in effect replacing
the original file); the different options to grep mean:
-f evil-hack: the pattern to search for is in the file evil-hack
-F: interpret the pattern as a fixed string, don't attempt to use any regexp
-v: reverse the search so in effect give me all the lines that don't match
the pattern rather than the ones that do
Once you've done that, you can verify that everything is clean by doing:
find . -name "*.php" -print | while read f; do
grep -H -f evil-hack -F $f
done
and this should come out empty (the -H option in grep will print the file
name where it found a match so that you know where to look if some of it
wasn't cleaned properly).
And the final step, to delete all the hacked files:
find . -name "*.php.hacked" -delete
As ever, make a backup of all the code before you do this, just in case
there's a typo somewhere. And as others have suggested, you need to find
how you got hacked so that you can close that loophole.
Cheers,
Bruno
On 16 September 2014 22:09, George Carter <georgealun at gmail.com> wrote:
> You can include slashes in a sed find and replace, you just need to use
> the escape character \ first. I.E to find http:// and replace with
> https:// you would use sed -i 's/http:\/\//https:\/\//g' file.php
>
> You need to put a backslash before all of the following characters:
> $.*/[\]^
>
> Apologies if I'm stating something you already knew - I'm new to the list
> but figured I'd try and help out having battled with sed a fair bit.
>
> George
>
> > On 16 Sep 2014, at 21:08, Gareth France <gareth.france at gmail.com> wrote:
> >
> > Not ubuntu related but I'm hoping someone may have the answer I need.
> Today I discovered my webspace has been hacked and several sites now
> contain additional code at the start of every single PHP file. Looking at
> my backups I can see it has been there for a while so restoring from a
> very old backup could cause me issues.
> >
> > Is there some way I could do a recursive find and delete on that code?
> It is a very long single line including slashes, hashes, exclaimation marks
> etc so using sed would be difficult as the examples I have seen show /thing
> to change/thing to change to/.
> >
> > Any ideas very welcome.
> >
> > --
> > ubuntu-uk at lists.ubuntu.com
> > https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
> > https://wiki.ubuntu.com/UKTeam/
>
> --
> ubuntu-uk at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
> https://wiki.ubuntu.com/UKTeam/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-uk/attachments/20140916/0554a48a/attachment-0001.html>
More information about the ubuntu-uk
mailing list