0

I have this problem:

Various pages of my site (tipically: html, php and js) are affected by a trojan horse (JS/Kryptik.ADZ based on NOD32 scan).

The code in each type of page is like this:

PHP:

#336988#
echo "<script type=\"text/javascript\" language=\"javascript\" > CODE OF MALWARE </script>";
#/336988#

JS:

/*336988*/
CODE OF MALWARE
/*/336988*/

HTML:

<!--336988-->
<script type="text/javascript" language="javascript" >CODE OF MALWARE</script>
<!--/336988-->

So i use Notepad++ and regex to replace malware with blank text. My regex is this: (<!--|\#|/\*)336988.+/336988(-->|\#|\*/)

But only HTML is found by this expression. Why?

I don't understand.

I'm sorry if my english and my knowledge of regex is poor.

Thanks

Carlo

Carlo
  • 1
  • 3
  • 4
    In text editors, `.+` usually won't cross line boundaries. – Barmar Jan 13 '13 at 11:22
  • Replace `.` with `[\s\S]` – nhahtdh Jan 13 '13 at 13:02
  • 4
    Start using version control immediately, and deploy from your repository. You shouldn't need to "undo" changes like this. – Mark Peters Jan 13 '13 at 13:24
  • I tried also `[\s\S]` and `[\s\S]+` but won't work. I'm using Espresso to validate regex – Carlo Jan 13 '13 at 13:50
  • @MarkPeters I don't understand what you mean – Carlo Jan 13 '13 at 13:52
  • I understand why it worked with html. because it was a single line. The problem is that I do not know how to include multiple lines – Carlo Jan 13 '13 at 13:56
  • I tried the regex `(|\#|\*/)` in Notepad++ and it works. Thank you all for the help. – Carlo Jan 13 '13 at 14:18
  • You should post your answer as an answer. – ATOzTOA Jan 13 '13 at 14:23
  • I tried the same regex (|\#|\*/) with other infected website tree in another PC also with Notepad++ and not works. This is very strange! – Carlo Jan 14 '13 at 10:58
  • Which program can I use to replace multi-line string in many files with regex? Notepad++ doesn't seem to allow multi-line option – Carlo Jan 14 '13 at 11:07
  • I try with Replace Studio Pro, but doesn't find the string with that pattern. Could be a problem of encoding of the file? – Carlo Jan 14 '13 at 11:37
  • where can I put examples of these files to allow you try regex replace? – Carlo Jan 14 '13 at 16:15
  • Attempting to revert malware edits is futile. Find out how they got in in the first place, and block that; then restore your files from version control or backups instead of attempting to change back whatever they changed. See also https://meta.stackoverflow.com/questions/314002/how-to-cope-with-help-ive-been-hacked-questions – tripleee Feb 20 '19 at 08:35
  • Possible duplicate of [Best methods to clean up a hacked site with no clean version available?](https://stackoverflow.com/questions/6337976/best-methods-to-clean-up-a-hacked-site-with-no-clean-version-available) – tripleee Feb 20 '19 at 08:36

4 Answers4

0

Try this one:

'^.*336988.*[\s\S]*.*336988.*$'
ATOzTOA
  • 34,814
  • 22
  • 96
  • 117
  • It would be much easier to write a `python` script to do it for you rather than searching for tools. – ATOzTOA Jan 14 '13 at 16:55
0

Try this one, I had the same problem and it worked.

/#336988#(.*?)#\/336988#/ism
4b0
  • 21,981
  • 30
  • 95
  • 142
dpan
  • 1
0

Here a script to fix 336988, 68c8c7, 8f4d8e, a59dc4.

Franco D'Agostino
  • 1
  • 1
  • 1
0

Today I had the same problem but with different code. This code affected aspx, asp, htdocs, html, htm and js files. Below my code in Powershell to fix these files. For JS files you need to change line:

    $regex = New-Object System.Text.RegularExpressions.Regex "<!--68c8c7-->((.|\n)*)<!--/68c8c7-->"

to: 

    $regex = New-Object System.Text.RegularExpressions.Regex "/\*68c8c7\*((.|\n)*)68c8c7\*/"

and line

    Get-ChildItem . -Recurse -Include *.aspx,*asp,*.html,*.htm | where-object {$_.lastwritetime –gt $DateToCompare} |  %{Write-Host Examining file: $_.fullname; $_} | ForEach-Object { DoWork $_.Name $_.DirectoryName}

to:

    Get-ChildItem . -Recurse -Include *.js | where-object {$_.lastwritetime –gt $DateToCompare} |  %{Write-Host Examining file: $_.fullname; $_} | ForEach-Object { DoWork $_.Name $_.DirectoryName}

below code (this script will create Backup_* file, after all you can delete those files):

function tryFixFile($filepath, $filepathBackup)
{   
    $infile = [string]::join([environment]::newline, (get-content -path $filepath))
    $regex = New-Object System.Text.RegularExpressions.Regex "<!--68c8c7-->((.|\n)*)<!--/68c8c7-->"

    if($regex.IsMatch($infile))
    {
        $intAnswer = $WScriptObject.popup("File needs to be change: " + $filepath + " do you want to continue?", 0,"Change File",4)
        If ($intAnswer -eq 6) 
        {
            Write-Host "  Creating backup for file: "  $filepath
            Copy-Item $filepath $filepathBackup
            $replace = $regex.Replace($infile,"")
            $replace | out-file $filepath
        } else 
        {
            $a.popup("File " + $filepath + " won't be changed.")
        }
    }
}

function DoWork($filename, $directory)
{   
    $filepath = $directory + '\' + $filename
    $filepathBackup = $directory + '\' + "Backup_" + $filename

    $WScriptObject = new-object -comobject wscript.shell

    tryFixFile $filepath $filepathBackup
}



$pathToCheck = Read-Host 'WARNING!! Path to check/change?'
if (Test-Path $pathToCheck)
{
    Set-Location $pathToCheck

    #files were affected no longer that 2 days ago, you can change this
    $DateToCompare = (Get-date).AddDays(-2)

    Get-ChildItem . -Recurse -Include *.aspx,*asp,*.html,*.htm | where-object {$_.lastwritetime –gt $DateToCompare} |  %{Write-Host Examining file: $_.fullname; $_} | ForEach-Object { DoWork $_.Name $_.DirectoryName}
}else
{
    write-host "Path doesn't exist"
}
jakub.wojciech
  • 44
  • 3