Ping a Specific Port

Question

garconcn

Asked: 2013-09-13 09:38:01 +0800 CST2013-09-13 09:38:01 +0800 CST 2013-09-13 09:38:01 +0800 CST

How to remove malware code from javascript file using sed

772

I found the following two different pattern in some hacked javascript files.

<!--2d3965-->  some code  <!--/2d3965-->

/*2d3965*/ some code /*/2d3965*/

I am able to remove the first pattern from the file using this command:

sed -i 's/<!--2d3965-->.*<!--\/2d3965-->//g' javascript_file.js

but not able to remove the second pattern using similar command:

sed -i 's/\/\*2d3965\*\/.\+\/\*\/2d3965\*\///g' javascript_file.js

What's correct syntax to remove the second pattern?

1 Answers

Voted

ewwhite · Answer 1 · 2013-09-13T09:46:51+08:00

ewwhite

2013-09-13T09:46:51+08:002013-09-13T09:46:51+08:00

The code I've used for this type of attack on .php, .js and .html files is:

perl -p -i.orig -0 -e 's/<\?\s*#([0-9a-z]{6})#.*#\/\1#\s*\?>//gs; s/<\!--([0-9a-z]{6})-->.*<!--\/\1-->//gs;'

Annoying... You should figure out how the attacker got in and check the health of your backups as well. I had to run the above on 4 million files once because the backups were also tainted.

2

How to remove malware code from javascript file using sed

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?