Posted by: MajorGeek
Posted on: 2009-10-27 10:24:00
I'm cleaning up my site after a hack. grep was able to find a call to davtraff.com in one directory. Isn't there a trick to get grep to search for a pattern down into subdirectories too? sed or perl?
This signature line intentionally blank.
Posted by: andrewf
Posted on: 2009-10-27 11:32:00
Even easier than you think:
grep -r PATTERN DIRECTORY
Posted by: vicm3
Posted on: 2009-10-27 11:42:00
even better if you have a iframe injection this one can help (I just found one of my sites attacked with the same URL.)
grep -lr -e '<iframe src="http://.*</iframe>' * | xargs sed -i 's/<iframe> src="http:\/\/.*<\/iframe>//g'
Just make sure you are not using iframes yourself ;D
Posted by: MajorGeek
Posted on: 2009-10-27 11:59:00
That's a good trick. My college just started doing something like that in windows on his part of the site.
Where do you suppose we got this infection? I admit I had an installation of the one-click gallery and forum that I hadn't used or upgraded for a couple years. I dumped them both.
This signature line intentionally blank.
Posted by: vicm3
Posted on: 2009-10-27 12:01:00
I'm not totally sure, but I taking special attention on the logs from a gallery 1.5.x series...
Posted by: MajorGeek
Posted on: 2009-10-27 13:36:00
I tried your grep|xargs line but it din't seem to remove anything. The part before the pipe finds all the files with the iframes with davtraff.com, but is there a typo in the sed part?
This signature line intentionally blank.
Posted by: vicm3
Posted on: 2009-10-27 13:52:00
Maybe a typo or filtered by forum, anyway I find the one liner on this site
Posted by: MajorGeek
Posted on: 2009-10-27 15:02:00
Thanks. It worked off the site but not off the forum but I can't see the difference.
This signature line intentionally blank.