The easy way to remove javascript inserts (viruses) from php javascript (js) and html using sed.

Client site have lots of javascripts inserted into it? If there are comments between this, then you can remove them with sed in ssh/shell.

I generally see these ftp inserts through a client side password stealer. First, find out where it is coming from (kindly ask your user to use SCP / SFTP in the future as well).

Now on to the cleaning, and hopefully my own domain doesn’t get picked up as as unsafe by google.

Here is my example from previous work on the example issue:

Client got javascript virus, nice guy virus inserted comments like 4d9f97 for the virus. html, php and javascript are all different but in each 4d9f97 is commented between them. We can use sed and a regex to remove data between these:

example showing what exactly is happening:

cat index.htm | grep 4d9f97
                    </div><!--4d9f97--><script type="text/javascript" language="javascript">
VIRUS GOES HERE
<!--/4d9f97-->

PHP and javascript follow the same pattern, commented as well.

1) backup the file
cp index.htm index.htm.old

2) run script

 cat index.htm |  sed ':a;N;$!ba;s/\(\/\*\|\#\|<!--\)4d9f97\(\*\/\|\#\|-->\).*\(\/\*\/\|\#\/\|<!--\/\)4d9f97\(\*\/\|\#\|-->\)/ /g' -i index.htm

3) compare

diff index.htm index.htm.old 
165c165
<                   </div> 
---
>                   </div><!--4d9f97-->><script type="text/javascript" language="javascript" >                                                                                                                                                      VIRUS                                                                                                                                                      <!--/4d9f97-->

Coverts html comments and php/js comments, removing the text in between

Notes:
* Always backup first, I’ve only tested this a few times.
* Normal IFS does not handle files with spaces in them.
* change 4d9f97 to whatever your comments are.

Full example on an entire directory:

cd /home/username
tar -zcf public_html.tgz public_html
cd public_html
OIFS=$IFS 
IFS="
"
for i in `grep -lri 4d9f97 .`; do cat "$i" | sed ':a;N;$!ba;s/\(\/\*\|\#\|<!--\)4d9f97\(\*\/\|\#\|-->\).*\(\/\*\/\|\#\/\|<!--\/\)4d9f97\(\*\/\|\#\|-->\)/ /g' -i "$i"; done
IFS=$OIFS;

Credit to InterServer sysadmin Detain for the sed work.

Leave a Reply

Your email address will not be published. Required fields are marked *