Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : grep and hacked files

[Linda_MBS]

With the recent PHPbb troubles,some of the nice folks on one of our servers got hit with a nice index replacement page by a hacker. I could go thru all the accounts manually and delete this file, but that would take hours.

I recall seeing something somewhere that I could grep for something specific in the file and then mass delete the returned files, but I cant recall exactly what it was I needed to do.

Any help?

[Techark]

for i in `locate nameoffile.html`; do if grep "whatever you need to grep for" $i > /dev/null; then rm -f /home/nameoffiletodlete $i; echo hacked: $i; fi; done


This should do it just replace the correct grep text and name of file to delete and serach for.

Might want to run updatedb before so the locate database is up to date.

[error404]

Use find instead of locate in that script. locate will never be totally up to date, and missing a file could be painful in this case.

Something like 'find / -iname nameoffile.html' instead of the locate command.

[Cirrostratus]

grep -R 'IamWormKeyword' /path/to/vhosts/ >> /tmp/infected.txt

Then view /tmp/infected.txt for all the hits.

That will grep ALL contents of ALL the files recursively under /path/to/vhosts and look for the keyword you specify and then dump the results in the text file.

From there you can open the files manually and fix them.

Thanks

Jeremy

[bitserve]

find / -type f -exec grep -l foo {} \; | xargs rm

Although you'd probably want to do this to be more careful:

cd /home (or dir where web docs are stored under)
find . -type f -exec grep -l foo {} \; | xargs -l -p rm

[Linda_MBS]

Will any of these work server wide?

[bitserve]

Techark's and my first example both work "server wide". While my second example and jeremy's example both use the more practical approach of only running it in the directory likely to contain index files. Based on your question, I'd recommend jeremy's approach, as it won't actually be harmful if you make a mistake.