Re: [ubuntu-uk] Automating find and replace

[Gareth France]

I do keep regular backups however the issue is that this has been sitting
silently for some time and changes made since the last clean backup would
have been lost.

On 17 Sep 2014 07:16, "Colin Law"  wrote:

> On 16 September 2014 21:08, Gareth France  wrote:
> > Not ubuntu related but I'm hoping someone may have the answer I need.
> Today
> > I discovered my webspace has been hacked and several sites now contain
> > additional code at the start of every single PHP file. Looking at my
> backups
> > I can see it  has been there for a while so restoring from a very old
> backup
> > could cause me issues.
> >
> > Is there some way I could do a recursive find and delete on that code?
> It is
> > a very long single line including slashes, hashes, exclaimation marks
> etc so
> > using sed would be difficult as the examples I have seen show /thing to
> > change/thing to change to/.
>
> Not helpful for solving the immediate problem I know, but for the
> future the issue would be easy to solve if you kept a master copy of
> your source in a version control system such as git.  Then if the site
> becomes compromised you can just replace it with the correct code.
> Git is trivially easy to setup and start using.
>
> Colin
>
> --
> ubuntu-uk@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
> https://wiki.ubuntu.com/UKTeam/
>
-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.ubuntu.com/UKTeam/

Re: [ubuntu-uk] Automating find and replace

[Colin Law]

On 16 September 2014 21:08, Gareth France  wrote:
> Not ubuntu related but I'm hoping someone may have the answer I need. Today
> I discovered my webspace has been hacked and several sites now contain
> additional code at the start of every single PHP file. Looking at my backups
> I can see it  has been there for a while so restoring from a very old backup
> could cause me issues.
>
> Is there some way I could do a recursive find and delete on that code? It is
> a very long single line including slashes, hashes, exclaimation marks etc so
> using sed would be difficult as the examples I have seen show /thing to
> change/thing to change to/.

Not helpful for solving the immediate problem I know, but for the
future the issue would be easy to solve if you kept a master copy of
your source in a version control system such as git.  Then if the site
becomes compromised you can just replace it with the correct code.
Git is trivially easy to setup and start using.

Colin

-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.ubuntu.com/UKTeam/

Re: [ubuntu-uk] Automating find and replace

[Simon Greenwood]

On 16 September 2014 23:54, Gareth France  wrote:

>
>
>> Quoting from my 1979 Unix manual Brian W Kernigan (who is the K in awk)
>> says 'there is nothing sacred about slashes' so you can do s?http://
>> ?https://?  In other words 'any character can be used to delimit the
>> pieces of the s command'  It can save a lot of back slash escaping.
>>
>> Tony
>>
>>  Thank you to everyone for their help. Part of the issue is that the
> offending text is massive and contains pretty much anything I could use as
> a delimiter. However I found a gui tool to do the job and the clean files
> are uploading now.
>
> The only remaining question is how did it get there to begin with? It was
> present on the 4th September but not in mid August.
>
>
There are any number of ways it could have happened but broadly speaking it
will be some detectable exploit by which something could be put on the
server that could change your scripts. If you're using something common
like Wordpress or Joomla there are frequent exploits that are generally
detected and fixed fairly quickly but mean that you must keep on top of
updates of core applications and plugins, but equally common are scanning
methods that detect weak mail forms, upload scripts (often common free ones
for example) and similar things and exploit them.

A quick detection method would be to find any files added since mid August,
particularly in locations where you wouldn't expect them to be.

s/
-- 
Twitter: @sfgreenwood
"TBA are particularly glib"
-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.ubuntu.com/UKTeam/

Re: [ubuntu-uk] Automating find and replace

[Gareth France]

Quoting from my 1979 Unix manual Brian W Kernigan (who is the K in 
awk) says 'there is nothing sacred about slashes' so you can do 
s?http://?https://?  In other words 'any character can be used to 
delimit the pieces of the s command'  It can save a lot of back slash 
escaping.


Tony

Thank you to everyone for their help. Part of the issue is that the 
offending text is massive and contains pretty much anything I could use 
as a delimiter. However I found a gui tool to do the job and the clean 
files are uploading now.


The only remaining question is how did it get there to begin with? It 
was present on the 4th September but not in mid August.


--
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.ubuntu.com/UKTeam/

Re: [ubuntu-uk] Automating find and replace

[Tony Pursell]

On 16 September 2014 22:09, George Carter  wrote:

> You can include slashes in a sed find and replace, you just need to use
> the escape character \ first. I.E to find http:// and replace with
> https:// you would use sed -i 's/http:\/\//https:\/\//g' file.php
>
> You need to put a backslash before all of the following characters:
> $.*/[\]^
>
> Apologies if I'm stating something you already knew - I'm new to the list
> but figured I'd try and help out having battled with sed a fair bit.
>

Quoting from my 1979 Unix manual Brian W Kernigan (who is the K in awk)
says 'there is nothing sacred about slashes' so you can do s?http://
?https://?  In other words 'any character can be used to delimit the pieces
of the s command'  It can save a lot of back slash escaping.

Tony


> George
>
> > On 16 Sep 2014, at 21:08, Gareth France  wrote:
> >
> > Not ubuntu related but I'm hoping someone may have the answer I need.
> Today I discovered my webspace has been hacked and several sites now
> contain additional code at the start of every single PHP file. Looking at
> my backups I can see it  has been there for a while so restoring from a
> very old backup could cause me issues.
> >
> > Is there some way I could do a recursive find and delete on that code?
> It is a very long single line including slashes, hashes, exclaimation marks
> etc so using sed would be difficult as the examples I have seen show /thing
> to change/thing to change to/.
> >
> > Any ideas very welcome.
> >
> > --
> > ubuntu-uk@lists.ubuntu.com
> > https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
> > https://wiki.ubuntu.com/UKTeam/
>
> --
> ubuntu-uk@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
> https://wiki.ubuntu.com/UKTeam/
>
-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.ubuntu.com/UKTeam/

Re: [ubuntu-uk] Automating find and replace

[Bruno Girin]

Assuming the offending line is always the same, here's what I would do:

Create a file called evil-hack where you copy the offending line, then run
a script like this:

find . -name "*.php" -print | while read f; do
  cp $f $f.hacked
  grep -f evil-hack -F -v $f.hacked > $f
done

So to unpack those few lines:

find . -name "*.php" -print => will find all the *.php file in the folder
tree from current location

| while read f; do => will execute the code between do and done for each
file, using f as the variable that contains the name of the file

cp $f $f.hacked => copy the *.php file to *.php.hacked

grep -f evil-hack -F -v $f.hacked > $f => here the meat of it that applies
grep to *.php.hacked and redirects the output to *.php (in effect replacing
the original file); the different options to grep mean:
-f evil-hack: the pattern to search for is in the file evil-hack
-F: interpret the pattern as a fixed string, don't attempt to use any regexp
-v: reverse the search so in effect give me all the lines that don't match
the pattern rather than the ones that do


Once you've done that, you can verify that everything is clean by doing:

find . -name "*.php" -print | while read f; do
  grep -H -f evil-hack -F $f
done

and this should come out empty (the -H option in grep will print the file
name where it found a match so that you know where to look if some of it
wasn't cleaned properly).

And the final step, to delete all the hacked files:

find . -name "*.php.hacked" -delete


As ever, make a backup of all the code before you do this, just in case
there's a typo somewhere. And as others have suggested, you need to find
how you got hacked so that you can close that loophole.

Cheers,

Bruno


On 16 September 2014 22:09, George Carter  wrote:

> You can include slashes in a sed find and replace, you just need to use
> the escape character \ first. I.E to find http:// and replace with
> https:// you would use sed -i 's/http:\/\//https:\/\//g' file.php
>
> You need to put a backslash before all of the following characters:
> $.*/[\]^
>
> Apologies if I'm stating something you already knew - I'm new to the list
> but figured I'd try and help out having battled with sed a fair bit.
>
> George
>
> > On 16 Sep 2014, at 21:08, Gareth France  wrote:
> >
> > Not ubuntu related but I'm hoping someone may have the answer I need.
> Today I discovered my webspace has been hacked and several sites now
> contain additional code at the start of every single PHP file. Looking at
> my backups I can see it  has been there for a while so restoring from a
> very old backup could cause me issues.
> >
> > Is there some way I could do a recursive find and delete on that code?
> It is a very long single line including slashes, hashes, exclaimation marks
> etc so using sed would be difficult as the examples I have seen show /thing
> to change/thing to change to/.
> >
> > Any ideas very welcome.
> >
> > --
> > ubuntu-uk@lists.ubuntu.com
> > https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
> > https://wiki.ubuntu.com/UKTeam/
>
> --
> ubuntu-uk@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
> https://wiki.ubuntu.com/UKTeam/
>
-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.ubuntu.com/UKTeam/

Re: [ubuntu-uk] Automating find and replace

[George Carter]

You can include slashes in a sed find and replace, you just need to use the 
escape character \ first. I.E to find http:// and replace with https:// you 
would use sed -i 's/http:\/\//https:\/\//g' file.php

You need to put a backslash before all of the following characters:
$.*/[\]^

Apologies if I'm stating something you already knew - I'm new to the list but 
figured I'd try and help out having battled with sed a fair bit.  

George

> On 16 Sep 2014, at 21:08, Gareth France  wrote:
> 
> Not ubuntu related but I'm hoping someone may have the answer I need. Today I 
> discovered my webspace has been hacked and several sites now contain 
> additional code at the start of every single PHP file. Looking at my backups 
> I can see it  has been there for a while so restoring from a very old backup 
> could cause me issues.
> 
> Is there some way I could do a recursive find and delete on that code? It is 
> a very long single line including slashes, hashes, exclaimation marks etc so 
> using sed would be difficult as the examples I have seen show /thing to 
> change/thing to change to/.
> 
> Any ideas very welcome.
> 
> -- 
> ubuntu-uk@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
> https://wiki.ubuntu.com/UKTeam/

-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.ubuntu.com/UKTeam/

Re: [ubuntu-uk] Automating find and replace

[Josh Holland]

Hi Gareth,



On Tue, 16 Sep 2014, at 09:56 PM, Gareth France wrote:

Eh?



Simon has given a quick account of the traditional Unix file
searching tools, grep, find and xargs (which isn't technically
a searching tool but is very often used with them). They are
very powerful, but take a good amount of practice to use most
effectively.



To be a little more helpful, could you perhaps give a quick
rundown of what you have to work with? If you have command line
access, it should be possible for someone on the list to help
walk you through using find etc. to track down the files which
have been compromised. Otherwise, it may be a little trickier,
but perhaps the easiest way might be to FTP (or however you
usually transfer) the files to your local machine, do the
command line trickery on that, and then re-upload the clean
files afterwards.



There is a small niggle at the back of my neck about never
trusting a compromised box, and of course you also will want to
track down the vulnerability that initially allowed the bad
guys in, else you'll just be back to square one before long!



Thanks,

Josh
-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.ubuntu.com/UKTeam/

Re: [ubuntu-uk] Automating find and replace

[Gareth France]

Eh?

On 16/09/14 21:29, Simon Greenwood wrote:



On 16 September 2014 21:08, Gareth France > wrote:


Not ubuntu related but I'm hoping someone may have the answer I
need. Today I discovered my webspace has been hacked and several
sites now contain additional code at the start of every single PHP
file. Looking at my backups I can see it has been there for a
while so restoring from a very old backup could cause me issues.

Is there some way I could do a recursive find and delete on that
code? It is a very long single line including slashes, hashes,
exclaimation marks etc so using sed would be difficult as the
examples I have seen show /thing to change/thing to change to/.

Any ideas very welcome.


find . -name "*.php" -exec grep -e "(string)" {} \;

from your document root will find the string A guess would be that the 
added code is actually base64 so there will be an eval() or base64() 
at the start of it. You should also be able to use just a fragment of 
the string.


Look at what egrep or grep -e can do to return the actual injected 
code and you could then pass that to sed using xargs and delete it, 
but the simple truth is that it's going to be a bind. You also have to 
identify where the injection was and get rid of it or it will just 
happen again.


s/


--
Twitter: @sfgreenwood
"TBA are particularly glib"




-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.ubuntu.com/UKTeam/

Re: [ubuntu-uk] Automating find and replace

[Simon Greenwood]

On 16 September 2014 21:08, Gareth France  wrote:

> Not ubuntu related but I'm hoping someone may have the answer I need.
> Today I discovered my webspace has been hacked and several sites now
> contain additional code at the start of every single PHP file. Looking at
> my backups I can see it  has been there for a while so restoring from a
> very old backup could cause me issues.
>
> Is there some way I could do a recursive find and delete on that code? It
> is a very long single line including slashes, hashes, exclaimation marks
> etc so using sed would be difficult as the examples I have seen show /thing
> to change/thing to change to/.
>
> Any ideas very welcome.
>
>
find . -name "*.php" -exec grep -e "(string)" {} \;

from your document root will find the string A guess would be that the
added code is actually base64 so there will be an eval() or base64() at the
start of it. You should also be able to use just a fragment of the string.

Look at what egrep or grep -e can do to return the actual injected code and
you could then pass that to sed using xargs and delete it, but the simple
truth is that it's going to be a bind. You also have to identify where the
injection was and get rid of it or it will just happen again.

s/


-- 
Twitter: @sfgreenwood
"TBA are particularly glib"
-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.ubuntu.com/UKTeam/

[ubuntu-uk] Automating find and replace

[Gareth France]

Not ubuntu related but I'm hoping someone may have the answer I need. 
Today I discovered my webspace has been hacked and several sites now 
contain additional code at the start of every single PHP file. Looking 
at my backups I can see it  has been there for a while so restoring from 
a very old backup could cause me issues.


Is there some way I could do a recursive find and delete on that code? 
It is a very long single line including slashes, hashes, exclaimation 
marks etc so using sed would be difficult as the examples I have seen 
show /thing to change/thing to change to/.


Any ideas very welcome.

--
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.ubuntu.com/UKTeam/