How to remove malware code from javascript file using sed

sed

I found the following two different pattern in some hacked javascript files.

<!--2d3965-->  some code  <!--/2d3965-->

/*2d3965*/ some code /*/2d3965*/

I am able to remove the first pattern from the file using this command:

sed -i 's/<!--2d3965-->.*<!--\/2d3965-->//g' javascript_file.js

but not able to remove the second pattern using similar command:

sed -i 's/\/\*2d3965\*\/.\+\/\*\/2d3965\*\///g' javascript_file.js

What's correct syntax to remove the second pattern?

Best Answer

The code I've used for this type of attack on .php, .js and .html files is:

perl -p -i.orig -0 -e 's/<\?\s*#([0-9a-z]{6})#.*#\/\1#\s*\?>//gs; s/<\!--([0-9a-z]{6})-->.*<!--\/\1-->//gs;'

Annoying... You should figure out how the attacker got in and check the health of your backups as well. I had to run the above on 4 million files once because the backups were also tainted.

Related Solutions

Postgresql – Using sed to convert hex characters in postgresql dump file

A typical solution is to use iconv -c.

Linux – sed: Add new line to every file that does not have one at end of file

In the absence of dos2unix - which would be the ideal way, try:

find . \( -name "*.cpp" -o -name "*.h" -o -name "*.hpp" \) -print0 | xargs -0 -iFILE sh -c 'echo >> FILE'

find . -type f \( -name "*.cpp" -o -name "*.h" -o -name "*.hpp" \) -exec sh -c 'echo >> {}' \;

Note that redirection is always a problem - the replacement doesn't occur as desired without launching a new shell.

Since your question was about 'sed', you could also do it as:

find . \( -name "*.cpp" -o -name "*.h" -o -name "*.hpp" \) -print0 | xargs -0 sed -i -e '$a\
\'

(That is a literal new line character - not a \n or anything else - probably best done as copy and paste - as it might be rather hard to type in :).

Best Answer

Related Solutions

Postgresql – Using sed to convert hex characters in postgresql dump file

Linux – sed: Add new line to every file that does not have one at end of file

Related Topic