subject:"\[ubuntu\-uk\] Automating find and replace"

Re: [ubuntu-uk] Automating find and replace

2014-09-17 Thread Gareth France

I recommend the Git book, when you have several hours free. I also 
recommend making lots of commits. I keep forgetting to commit often 
enough, then it's a bit of a pain to split up the changes I've made into 
the right commits. You can easily join multiple commits into one bigger 
one, but it can be tricky to split a larger change up into smaller bits. 
Neil
I NEVER have several hours free. It's more like 15 minutes at the end of 
the day where I can just try to reduce the size of my to do pile slightly.,


--
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.ubuntu.com/UKTeam/

Re: [ubuntu-uk] Automating find and replace

2014-09-17 Thread Neil Greenwood



On 17 September 2014 22:31:28 BST, Bruno Girin  wrote:
>On 17 September 2014 20:47, Gareth France 
>wrote:
>
>>
>>  Not helpful for solving the immediate problem I know, but for the
>>> future the issue would be easy to solve if you kept a master copy of
>>> your source in a version control system such as git.  Then if the
>site
>>> becomes compromised you can just replace it with the correct code.
>>> Git is trivially easy to setup and start using.
>>>
>>> Colin
>>>
>>>  I have taken a quick peek and it says git-hub is free for public,
>open
>> source projects. I of course require private hosting as I wouldn't
>want
>> people to peek behind my site. So is there a free option for doing
>this? I
>> really don't have a budget for doing this sort of thing.
>
>
>Gitlab [1] is an open source alternative to Github and has unlimited
>free
>private repositories. It is not as full featured as Github especially
>in
>the team collaboration area but is more than enough for your use case.
>It
>takes 5 minutes to create a repo and the only gotcha is how to generate
>an
>SSH key to let git interact with it, which is explained in their help
>pages
>[2]. If you need more help with git, the git book [3] is available
>online
>for free.
>
>Using a VCS like git takes a bit of practice but once you're used to
>it, it
>is very liberating to know that you always have a golden master and
>that
>you can roll back any changes should you need to.
>
>[1] https://gitlab.com/
>[2] https://gitlab.com/help/ssh/ssh.md
>[3] http://git-scm.com/book
>
>Bruno
>

I recommend the Git book, when you have several hours free.

I also recommend making lots of commits. I keep forgetting to commit often 
enough, then it's a bit of a pain to split up the changes I've made into the 
right commits. You can easily join multiple commits into one bigger one, but it 
can be tricky to split a larger change up into smaller bits.


Neil

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.ubuntu.com/UKTeam/

Re: [ubuntu-uk] Automating find and replace

2014-09-17 Thread Bruno Girin

On 17 September 2014 20:47, Gareth France  wrote:

>
>  Not helpful for solving the immediate problem I know, but for the
>> future the issue would be easy to solve if you kept a master copy of
>> your source in a version control system such as git.  Then if the site
>> becomes compromised you can just replace it with the correct code.
>> Git is trivially easy to setup and start using.
>>
>> Colin
>>
>>  I have taken a quick peek and it says git-hub is free for public, open
> source projects. I of course require private hosting as I wouldn't want
> people to peek behind my site. So is there a free option for doing this? I
> really don't have a budget for doing this sort of thing.

Gitlab [1] is an open source alternative to Github and has unlimited free
private repositories. It is not as full featured as Github especially in
the team collaboration area but is more than enough for your use case. It
takes 5 minutes to create a repo and the only gotcha is how to generate an
SSH key to let git interact with it, which is explained in their help pages
[2]. If you need more help with git, the git book [3] is available online
for free.

Using a VCS like git takes a bit of practice but once you're used to it, it
is very liberating to know that you always have a golden master and that
you can roll back any changes should you need to.

[1] https://gitlab.com/
[2] https://gitlab.com/help/ssh/ssh.md
[3] http://git-scm.com/book

Bruno
-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.ubuntu.com/UKTeam/

Re: [ubuntu-uk] Automating find and replace

2014-09-17 Thread Gareth France


On 17/09/14 21:52, Colin Law wrote:

On 17 September 2014 20:47, Gareth France  wrote:

Not helpful for solving the immediate problem I know, but for the
future the issue would be easy to solve if you kept a master copy of
your source in a version control system such as git.  Then if the site
becomes compromised you can just replace it with the correct code.
Git is trivially easy to setup and start using.

Colin


I have taken a quick peek and it says git-hub is free for public, open
source projects. I of course require private hosting as I wouldn't want
people to peek behind my site. So is there a free option for doing this? I
really don't have a budget for doing this sort of thing.

sudo apt-get install git git-gui gitk

To keep it happy it some config info that it uses to record who has made changes
git config --global user.email "m...@somewhere.com"
may also need
git-config --global user.name "Yourname"

Then you can make a local repository for your stuff.  This seems like
a decent looking tutorial at first site.
http://www.vogella.com/tutorials/Git/article.html

Colin

This is not going to be an easy job. I think it will have to be a rainy 
day project as at the moment my son prevents me from focusing on 
anything until he goes to bed so all my work gets squashed into the evening.


--
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.ubuntu.com/UKTeam/

Re: [ubuntu-uk] Automating find and replace

2014-09-17 Thread Colin Law

On 17 September 2014 20:47, Gareth France  wrote:
>
>> Not helpful for solving the immediate problem I know, but for the
>> future the issue would be easy to solve if you kept a master copy of
>> your source in a version control system such as git.  Then if the site
>> becomes compromised you can just replace it with the correct code.
>> Git is trivially easy to setup and start using.
>>
>> Colin
>>
> I have taken a quick peek and it says git-hub is free for public, open
> source projects. I of course require private hosting as I wouldn't want
> people to peek behind my site. So is there a free option for doing this? I
> really don't have a budget for doing this sort of thing.

sudo apt-get install git git-gui gitk

To keep it happy it some config info that it uses to record who has made changes
git config --global user.email "m...@somewhere.com"
may also need
git-config --global user.name "Yourname"

Then you can make a local repository for your stuff.  This seems like
a decent looking tutorial at first site.
http://www.vogella.com/tutorials/Git/article.html

Colin

-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.ubuntu.com/UKTeam/

Re: [ubuntu-uk] Automating find and replace

2014-09-17 Thread Gareth France




Not helpful for solving the immediate problem I know, but for the
future the issue would be easy to solve if you kept a master copy of
your source in a version control system such as git.  Then if the site
becomes compromised you can just replace it with the correct code.
Git is trivially easy to setup and start using.

Colin

I have taken a quick peek and it says git-hub is free for public, open 
source projects. I of course require private hosting as I wouldn't want 
people to peek behind my site. So is there a free option for doing this? 
I really don't have a budget for doing this sort of thing.


--
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.ubuntu.com/UKTeam/

Re: [ubuntu-uk] Automating find and replace

2014-09-17 Thread Colin Law

On 17 September 2014 14:08, Gareth France  wrote:
> I understand. In which case the big issue would be weeding out old redundant
> files and ensuring no hidden files exist from this recent hack before
> creating this system.

I did say it did not help you in your current predicament, but may
help in the future.  Don't worry about weeding out redundant files,
you can delete them after you setup the system, then if you later
realise - oops that wasn't redundant at all - then you can easily
resurrect them.  In fact if you can afford to take a day out to set
the system up then there is an argument for starting immediately,
before de-hacking.  Then if your de-hacking goes awry in ways that are
not immediately obvious, then again you have the history in the
archive.

Colin

>
> On 17 Sep 2014 14:01, "Daniel Llewellyn"  wrote:
>>
>> On 17 September 2014 08:25, Gareth France  wrote:
>> > Sounds great. My backups are stored on a hard drive here so can't be
>> > compromised but I'd love to find a way to automate it. I'll look into
>> > this
>> > later.
>>
>> I think the point that Colin is trying to convey is that
>> version-control is NOT a backup strategy. version-control sits BEFORE
>> the deployment to the live site and stores every change made to every
>> file in the site to create a canonical "golden master" history. You
>> then mint your live site as a copy of the version-controlled files.
>> This will then allow you to immediately determine whether files have
>> been modified since deployment, which files they are, and how they're
>> modified.
>>
>> With a backup you are reliant on schedule and spotting the problem
>> before it makes its way into your entire history of backups (unless
>> you keep backups till the end of time). With a backup you also need to
>> restore each archive in-turn until you find one that doesn't have the
>> offending code. This is time-consuming! And you have already
>> highlighted the problem of backups not accounting for changes made
>> since the backup was taken. VCS solves that.
>>
>> Version control allows you to immediately isolate the offending code
>> and excise it by either rolling-back the commit that added it (in the
>> case your vcs was hacked in addition to your live site) or just
>> re-deploying your latest golden master over-the-top of the current
>> infected live site (in the case your VCS is still secure).
>>
>> --
>> Daniel Llewellyn
>>
>> --
>> ubuntu-uk@lists.ubuntu.com
>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
>> https://wiki.ubuntu.com/UKTeam/
>
>
> --
> ubuntu-uk@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
> https://wiki.ubuntu.com/UKTeam/
>

-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.ubuntu.com/UKTeam/

Re: [ubuntu-uk] Automating find and replace

2014-09-17 Thread Daniel Llewellyn

On 17 September 2014 14:08, Gareth France  wrote:
> I understand. In which case the big issue would be weeding out old redundant
> files and ensuring no hidden files exist from this recent hack before
> creating this system.

You're right, we're really talking hypotheticals that don't help you
out of your current situation, and for that I'm sorry I'm not being
more helpful :-(

the `find` command has an option to list files modified after a
certain date/time which may assist you in finding the files which were
changed after you last modified the site. (if your latest backup is a
tar archive (compressed or not) then it will retain the modified times
when you extract it to an arbitrary location so you are able to do the
analysis on that backup if you are so inclined).

-- 
Daniel Llewellyn

-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.ubuntu.com/UKTeam/

Re: [ubuntu-uk] Automating find and replace

2014-09-17 Thread Gareth France

I understand. In which case the big issue would be weeding out old
redundant files and ensuring no hidden files exist from this recent hack
before creating this system.

On 17 Sep 2014 14:01, "Daniel Llewellyn"  wrote:

> On 17 September 2014 08:25, Gareth France  wrote:
> > Sounds great. My backups are stored on a hard drive here so can't be
> > compromised but I'd love to find a way to automate it. I'll look into
> this
> > later.
>
> I think the point that Colin is trying to convey is that
> version-control is NOT a backup strategy. version-control sits BEFORE
> the deployment to the live site and stores every change made to every
> file in the site to create a canonical "golden master" history. You
> then mint your live site as a copy of the version-controlled files.
> This will then allow you to immediately determine whether files have
> been modified since deployment, which files they are, and how they're
> modified.
>
> With a backup you are reliant on schedule and spotting the problem
> before it makes its way into your entire history of backups (unless
> you keep backups till the end of time). With a backup you also need to
> restore each archive in-turn until you find one that doesn't have the
> offending code. This is time-consuming! And you have already
> highlighted the problem of backups not accounting for changes made
> since the backup was taken. VCS solves that.
>
> Version control allows you to immediately isolate the offending code
> and excise it by either rolling-back the commit that added it (in the
> case your vcs was hacked in addition to your live site) or just
> re-deploying your latest golden master over-the-top of the current
> infected live site (in the case your VCS is still secure).
>
> --
> Daniel Llewellyn
>
> --
> ubuntu-uk@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
> https://wiki.ubuntu.com/UKTeam/
>
-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.ubuntu.com/UKTeam/

Re: [ubuntu-uk] Automating find and replace

2014-09-17 Thread Daniel Llewellyn

On 17 September 2014 08:25, Gareth France  wrote:
> Sounds great. My backups are stored on a hard drive here so can't be
> compromised but I'd love to find a way to automate it. I'll look into this
> later.

I think the point that Colin is trying to convey is that
version-control is NOT a backup strategy. version-control sits BEFORE
the deployment to the live site and stores every change made to every
file in the site to create a canonical "golden master" history. You
then mint your live site as a copy of the version-controlled files.
This will then allow you to immediately determine whether files have
been modified since deployment, which files they are, and how they're
modified.

With a backup you are reliant on schedule and spotting the problem
before it makes its way into your entire history of backups (unless
you keep backups till the end of time). With a backup you also need to
restore each archive in-turn until you find one that doesn't have the
offending code. This is time-consuming! And you have already
highlighted the problem of backups not accounting for changes made
since the backup was taken. VCS solves that.

Version control allows you to immediately isolate the offending code
and excise it by either rolling-back the commit that added it (in the
case your vcs was hacked in addition to your live site) or just
re-deploying your latest golden master over-the-top of the current
infected live site (in the case your VCS is still secure).

-- 
Daniel Llewellyn

-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.ubuntu.com/UKTeam/

Re: [ubuntu-uk] Automating find and replace

2014-09-17 Thread Gareth France

Sounds great. My backups are stored on a hard drive here so can't be
compromised but I'd love to find a way to automate it. I'll look into this
later.

On 17 Sep 2014 08:21, "Colin Law"  wrote:

> On 17 September 2014 07:34, Gareth France  wrote:
> > I do keep regular backups however the issue is that this has been sitting
> > silently for some time and changes made since the last clean backup would
> > have been lost.
>
> A VCS is much more than a set of backups.  Since the master resides
> away from the website the hacks would never have got into the
> repository.  But even if they had somehow got there you could find the
> commit that stored them, unroll just that commit (and put back any
> valid changes made during that commit) and magically your master would
> then be fixed without loosing changes made since then.
>
> Even more than that git gives you a complete history of all the
> changes you have ever made, so when something stops working, but you
> do not notice imediately, you can go back through the history until
> you find the point at which it stopped working so that you can rapidly
> find what it was you did wrong.
>
> Give git a go, it is trivial to setup and once you start using it you
> will wonder how you ever managed without it.  Seriously.  There are
> many tutorials on getting started.
>
> Colin
>
> --
> ubuntu-uk@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
> https://wiki.ubuntu.com/UKTeam/
>
-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.ubuntu.com/UKTeam/

Re: [ubuntu-uk] Automating find and replace

2014-09-17 Thread Colin Law

On 17 September 2014 07:34, Gareth France  wrote:
> I do keep regular backups however the issue is that this has been sitting
> silently for some time and changes made since the last clean backup would
> have been lost.

A VCS is much more than a set of backups.  Since the master resides
away from the website the hacks would never have got into the
repository.  But even if they had somehow got there you could find the
commit that stored them, unroll just that commit (and put back any
valid changes made during that commit) and magically your master would
then be fixed without loosing changes made since then.

Even more than that git gives you a complete history of all the
changes you have ever made, so when something stops working, but you
do not notice imediately, you can go back through the history until
you find the point at which it stopped working so that you can rapidly
find what it was you did wrong.

Give git a go, it is trivial to setup and once you start using it you
will wonder how you ever managed without it.  Seriously.  There are
many tutorials on getting started.

Colin

-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.ubuntu.com/UKTeam/

Re: [ubuntu-uk] Automating find and replace

2014-09-16 Thread Gareth France

I do keep regular backups however the issue is that this has been sitting
silently for some time and changes made since the last clean backup would
have been lost.

On 17 Sep 2014 07:16, "Colin Law"  wrote:

> On 16 September 2014 21:08, Gareth France  wrote:
> > Not ubuntu related but I'm hoping someone may have the answer I need.
> Today
> > I discovered my webspace has been hacked and several sites now contain
> > additional code at the start of every single PHP file. Looking at my
> backups
> > I can see it  has been there for a while so restoring from a very old
> backup
> > could cause me issues.
> >
> > Is there some way I could do a recursive find and delete on that code?
> It is
> > a very long single line including slashes, hashes, exclaimation marks
> etc so
> > using sed would be difficult as the examples I have seen show /thing to
> > change/thing to change to/.
>
> Not helpful for solving the immediate problem I know, but for the
> future the issue would be easy to solve if you kept a master copy of
> your source in a version control system such as git.  Then if the site
> becomes compromised you can just replace it with the correct code.
> Git is trivially easy to setup and start using.
>
> Colin
>
> --
> ubuntu-uk@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
> https://wiki.ubuntu.com/UKTeam/
>
-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.ubuntu.com/UKTeam/

Re: [ubuntu-uk] Automating find and replace

2014-09-16 Thread Colin Law

On 16 September 2014 21:08, Gareth France  wrote:
> Not ubuntu related but I'm hoping someone may have the answer I need. Today
> I discovered my webspace has been hacked and several sites now contain
> additional code at the start of every single PHP file. Looking at my backups
> I can see it  has been there for a while so restoring from a very old backup
> could cause me issues.
>
> Is there some way I could do a recursive find and delete on that code? It is
> a very long single line including slashes, hashes, exclaimation marks etc so
> using sed would be difficult as the examples I have seen show /thing to
> change/thing to change to/.

Not helpful for solving the immediate problem I know, but for the
future the issue would be easy to solve if you kept a master copy of
your source in a version control system such as git.  Then if the site
becomes compromised you can just replace it with the correct code.
Git is trivially easy to setup and start using.

Colin

-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.ubuntu.com/UKTeam/

Re: [ubuntu-uk] Automating find and replace

2014-09-16 Thread Simon Greenwood

On 16 September 2014 23:54, Gareth France  wrote:

>
>
>> Quoting from my 1979 Unix manual Brian W Kernigan (who is the K in awk)
>> says 'there is nothing sacred about slashes' so you can do s?http://
>> ?https://?  In other words 'any character can be used to delimit the
>> pieces of the s command'  It can save a lot of back slash escaping.
>>
>> Tony
>>
>>  Thank you to everyone for their help. Part of the issue is that the
> offending text is massive and contains pretty much anything I could use as
> a delimiter. However I found a gui tool to do the job and the clean files
> are uploading now.
>
> The only remaining question is how did it get there to begin with? It was
> present on the 4th September but not in mid August.
>
>
There are any number of ways it could have happened but broadly speaking it
will be some detectable exploit by which something could be put on the
server that could change your scripts. If you're using something common
like Wordpress or Joomla there are frequent exploits that are generally
detected and fixed fairly quickly but mean that you must keep on top of
updates of core applications and plugins, but equally common are scanning
methods that detect weak mail forms, upload scripts (often common free ones
for example) and similar things and exploit them.

A quick detection method would be to find any files added since mid August,
particularly in locations where you wouldn't expect them to be.

s/
-- 
Twitter: @sfgreenwood
"TBA are particularly glib"
-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.ubuntu.com/UKTeam/

Re: [ubuntu-uk] Automating find and replace

2014-09-16 Thread Gareth France





Quoting from my 1979 Unix manual Brian W Kernigan (who is the K in 
awk) says 'there is nothing sacred about slashes' so you can do 
s?http://?https://?  In other words 'any character can be used to 
delimit the pieces of the s command'  It can save a lot of back slash 
escaping.


Tony

Thank you to everyone for their help. Part of the issue is that the 
offending text is massive and contains pretty much anything I could use 
as a delimiter. However I found a gui tool to do the job and the clean 
files are uploading now.


The only remaining question is how did it get there to begin with? It 
was present on the 4th September but not in mid August.


--
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.ubuntu.com/UKTeam/

Re: [ubuntu-uk] Automating find and replace

2014-09-16 Thread Tony Pursell

On 16 September 2014 22:09, George Carter  wrote:

> You can include slashes in a sed find and replace, you just need to use
> the escape character \ first. I.E to find http:// and replace with
> https:// you would use sed -i 's/http:\/\//https:\/\//g' file.php
>
> You need to put a backslash before all of the following characters:
> $.*/[\]^
>
> Apologies if I'm stating something you already knew - I'm new to the list
> but figured I'd try and help out having battled with sed a fair bit.
>

Quoting from my 1979 Unix manual Brian W Kernigan (who is the K in awk)
says 'there is nothing sacred about slashes' so you can do s?http://
?https://?  In other words 'any character can be used to delimit the pieces
of the s command'  It can save a lot of back slash escaping.

Tony


> George
>
> > On 16 Sep 2014, at 21:08, Gareth France  wrote:
> >
> > Not ubuntu related but I'm hoping someone may have the answer I need.
> Today I discovered my webspace has been hacked and several sites now
> contain additional code at the start of every single PHP file. Looking at
> my backups I can see it  has been there for a while so restoring from a
> very old backup could cause me issues.
> >
> > Is there some way I could do a recursive find and delete on that code?
> It is a very long single line including slashes, hashes, exclaimation marks
> etc so using sed would be difficult as the examples I have seen show /thing
> to change/thing to change to/.
> >
> > Any ideas very welcome.
> >
> > --
> > ubuntu-uk@lists.ubuntu.com
> > https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
> > https://wiki.ubuntu.com/UKTeam/
>
> --
> ubuntu-uk@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
> https://wiki.ubuntu.com/UKTeam/
>
-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.ubuntu.com/UKTeam/

Re: [ubuntu-uk] Automating find and replace

2014-09-16 Thread Bruno Girin

Assuming the offending line is always the same, here's what I would do:

Create a file called evil-hack where you copy the offending line, then run
a script like this:

find . -name "*.php" -print | while read f; do
  cp $f $f.hacked
  grep -f evil-hack -F -v $f.hacked > $f
done

So to unpack those few lines:

find . -name "*.php" -print => will find all the *.php file in the folder
tree from current location

| while read f; do => will execute the code between do and done for each
file, using f as the variable that contains the name of the file

cp $f $f.hacked => copy the *.php file to *.php.hacked

grep -f evil-hack -F -v $f.hacked > $f => here the meat of it that applies
grep to *.php.hacked and redirects the output to *.php (in effect replacing
the original file); the different options to grep mean:
-f evil-hack: the pattern to search for is in the file evil-hack
-F: interpret the pattern as a fixed string, don't attempt to use any regexp
-v: reverse the search so in effect give me all the lines that don't match
the pattern rather than the ones that do


Once you've done that, you can verify that everything is clean by doing:

find . -name "*.php" -print | while read f; do
  grep -H -f evil-hack -F $f
done

and this should come out empty (the -H option in grep will print the file
name where it found a match so that you know where to look if some of it
wasn't cleaned properly).

And the final step, to delete all the hacked files:

find . -name "*.php.hacked" -delete


As ever, make a backup of all the code before you do this, just in case
there's a typo somewhere. And as others have suggested, you need to find
how you got hacked so that you can close that loophole.

Cheers,

Bruno


On 16 September 2014 22:09, George Carter  wrote:

> You can include slashes in a sed find and replace, you just need to use
> the escape character \ first. I.E to find http:// and replace with
> https:// you would use sed -i 's/http:\/\//https:\/\//g' file.php
>
> You need to put a backslash before all of the following characters:
> $.*/[\]^
>
> Apologies if I'm stating something you already knew - I'm new to the list
> but figured I'd try and help out having battled with sed a fair bit.
>
> George
>
> > On 16 Sep 2014, at 21:08, Gareth France  wrote:
> >
> > Not ubuntu related but I'm hoping someone may have the answer I need.
> Today I discovered my webspace has been hacked and several sites now
> contain additional code at the start of every single PHP file. Looking at
> my backups I can see it  has been there for a while so restoring from a
> very old backup could cause me issues.
> >
> > Is there some way I could do a recursive find and delete on that code?
> It is a very long single line including slashes, hashes, exclaimation marks
> etc so using sed would be difficult as the examples I have seen show /thing
> to change/thing to change to/.
> >
> > Any ideas very welcome.
> >
> > --
> > ubuntu-uk@lists.ubuntu.com
> > https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
> > https://wiki.ubuntu.com/UKTeam/
>
> --
> ubuntu-uk@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
> https://wiki.ubuntu.com/UKTeam/
>
-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.ubuntu.com/UKTeam/

Re: [ubuntu-uk] Automating find and replace

2014-09-16 Thread George Carter

You can include slashes in a sed find and replace, you just need to use the 
escape character \ first. I.E to find http:// and replace with https:// you 
would use sed -i 's/http:\/\//https:\/\//g' file.php

You need to put a backslash before all of the following characters:
$.*/[\]^

Apologies if I'm stating something you already knew - I'm new to the list but 
figured I'd try and help out having battled with sed a fair bit.  

George

> On 16 Sep 2014, at 21:08, Gareth France  wrote:
> 
> Not ubuntu related but I'm hoping someone may have the answer I need. Today I 
> discovered my webspace has been hacked and several sites now contain 
> additional code at the start of every single PHP file. Looking at my backups 
> I can see it  has been there for a while so restoring from a very old backup 
> could cause me issues.
> 
> Is there some way I could do a recursive find and delete on that code? It is 
> a very long single line including slashes, hashes, exclaimation marks etc so 
> using sed would be difficult as the examples I have seen show /thing to 
> change/thing to change to/.
> 
> Any ideas very welcome.
> 
> -- 
> ubuntu-uk@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
> https://wiki.ubuntu.com/UKTeam/

-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.ubuntu.com/UKTeam/

Re: [ubuntu-uk] Automating find and replace

2014-09-16 Thread Josh Holland

Hi Gareth,



On Tue, 16 Sep 2014, at 09:56 PM, Gareth France wrote:

Eh?



Simon has given a quick account of the traditional Unix file
searching tools, grep, find and xargs (which isn't technically
a searching tool but is very often used with them). They are
very powerful, but take a good amount of practice to use most
effectively.



To be a little more helpful, could you perhaps give a quick
rundown of what you have to work with? If you have command line
access, it should be possible for someone on the list to help
walk you through using find etc. to track down the files which
have been compromised. Otherwise, it may be a little trickier,
but perhaps the easiest way might be to FTP (or however you
usually transfer) the files to your local machine, do the
command line trickery on that, and then re-upload the clean
files afterwards.



There is a small niggle at the back of my neck about never
trusting a compromised box, and of course you also will want to
track down the vulnerability that initially allowed the bad
guys in, else you'll just be back to square one before long!



Thanks,

Josh
-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.ubuntu.com/UKTeam/

Re: [ubuntu-uk] Automating find and replace

2014-09-16 Thread Gareth France


Eh?

On 16/09/14 21:29, Simon Greenwood wrote:



On 16 September 2014 21:08, Gareth France > wrote:


Not ubuntu related but I'm hoping someone may have the answer I
need. Today I discovered my webspace has been hacked and several
sites now contain additional code at the start of every single PHP
file. Looking at my backups I can see it has been there for a
while so restoring from a very old backup could cause me issues.

Is there some way I could do a recursive find and delete on that
code? It is a very long single line including slashes, hashes,
exclaimation marks etc so using sed would be difficult as the
examples I have seen show /thing to change/thing to change to/.

Any ideas very welcome.


find . -name "*.php" -exec grep -e "(string)" {} \;

from your document root will find the string A guess would be that the 
added code is actually base64 so there will be an eval() or base64() 
at the start of it. You should also be able to use just a fragment of 
the string.


Look at what egrep or grep -e can do to return the actual injected 
code and you could then pass that to sed using xargs and delete it, 
but the simple truth is that it's going to be a bind. You also have to 
identify where the injection was and get rid of it or it will just 
happen again.


s/


--
Twitter: @sfgreenwood
"TBA are particularly glib"




-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.ubuntu.com/UKTeam/

Re: [ubuntu-uk] Automating find and replace

2014-09-16 Thread Simon Greenwood

On 16 September 2014 21:08, Gareth France  wrote:

> Not ubuntu related but I'm hoping someone may have the answer I need.
> Today I discovered my webspace has been hacked and several sites now
> contain additional code at the start of every single PHP file. Looking at
> my backups I can see it  has been there for a while so restoring from a
> very old backup could cause me issues.
>
> Is there some way I could do a recursive find and delete on that code? It
> is a very long single line including slashes, hashes, exclaimation marks
> etc so using sed would be difficult as the examples I have seen show /thing
> to change/thing to change to/.
>
> Any ideas very welcome.
>
>
find . -name "*.php" -exec grep -e "(string)" {} \;

from your document root will find the string A guess would be that the
added code is actually base64 so there will be an eval() or base64() at the
start of it. You should also be able to use just a fragment of the string.

Look at what egrep or grep -e can do to return the actual injected code and
you could then pass that to sed using xargs and delete it, but the simple
truth is that it's going to be a bind. You also have to identify where the
injection was and get rid of it or it will just happen again.

s/

-- 
Twitter: @sfgreenwood
"TBA are particularly glib"
-- 
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.ubuntu.com/UKTeam/

[ubuntu-uk] Automating find and replace

2014-09-16 Thread Gareth France

Not ubuntu related but I'm hoping someone may have the answer I need. 
Today I discovered my webspace has been hacked and several sites now 
contain additional code at the start of every single PHP file. Looking 
at my backups I can see it  has been there for a while so restoring from 
a very old backup could cause me issues.


Is there some way I could do a recursive find and delete on that code? 
It is a very long single line including slashes, hashes, exclaimation 
marks etc so using sed would be difficult as the examples I have seen 
show /thing to change/thing to change to/.


Any ideas very welcome.

--
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.ubuntu.com/UKTeam/

Re: [ubuntu-uk] Automating find and replace

Re: [ubuntu-uk] Automating find and replace

Re: [ubuntu-uk] Automating find and replace

Re: [ubuntu-uk] Automating find and replace

Re: [ubuntu-uk] Automating find and replace

Re: [ubuntu-uk] Automating find and replace

Re: [ubuntu-uk] Automating find and replace

Re: [ubuntu-uk] Automating find and replace

Re: [ubuntu-uk] Automating find and replace

Re: [ubuntu-uk] Automating find and replace

Re: [ubuntu-uk] Automating find and replace

Re: [ubuntu-uk] Automating find and replace

Re: [ubuntu-uk] Automating find and replace

Re: [ubuntu-uk] Automating find and replace

Re: [ubuntu-uk] Automating find and replace

Re: [ubuntu-uk] Automating find and replace

Re: [ubuntu-uk] Automating find and replace

Re: [ubuntu-uk] Automating find and replace

Re: [ubuntu-uk] Automating find and replace

Re: [ubuntu-uk] Automating find and replace

Re: [ubuntu-uk] Automating find and replace

Re: [ubuntu-uk] Automating find and replace

[ubuntu-uk] Automating find and replace

23 matches

Site Navigation

Mail list logo

Footer information