SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Enthusiast
    Join Date
    Apr 2004
    Location
    Staten Island, NY
    Posts
    66
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    HELP! I need to Find and Replace code in many files! Code Injection in sites!

    I have a server with a few large dynamic sites on it, alot of them have JS code injected at the bottom of the files.

    The code is like this,

    PHP Code:
    <b1><!--7_TsCl0TeNoNy1EKgCAMANAbOUsCr2M6bOA20InR6fPrfT1gMbDUK5oPEK4zXn4TYjxgreWadpRPRyEhqS4rw8IbsorhnsiJ2oA06xwGJAVf9xi3H/tCHsA=--></b1></body>
    </
    html
    I have been going one site at a time, downloading the site, searching the whole site in dreamweaver, and using a regex expression like this to delete instances of it.

    Code:
    <b1><!--[^"]*--></b1></body>
    [^"]*</html>
    
    or
    
    <b1><!--[^"]*--></b1></body>
    [\r]*</html>
    Here is the issue though, if the code gets injected into an HTML file, or a PHP/ASP file that has HTML mixed with it, then the </html> needs to be left in place. If on the other hand, the code is injected into a PHP/ASP file that does not otherwise contain HTML, it breaks the whole file, and to fix it the entire string needs to be removed, including the </html>

    I figure, if the file is only code, no HTML, it will not have an opening <html> or <body> tag.

    Would there be any way to construct a script, that can search every file in the site using regex, and if the file has opening <html> and <body> tags, it will replace the whole string with just </body>[\r]*</html>, but if there are no opening tags it will just delete the entire string.

    I know this may still break some files, but I think for the most part it would work and it would probably be easier to troubleshoot the few broken files then manually remove these strings from everything.

    If anyone can help me put this script together, I would greatly appreciate it!

    Thank you!

  2. #2
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    16,445
    Mentioned
    160 Post(s)
    Tagged
    1 Thread(s)
    First, I'm not so sure a hash in a comment is neccessarily malicious. Do you know what it's for or does?
    What is a b1 tag?

    Second, rather than "fix" the server files, wouldn't it be best to remove them and re-upload the last clean version of your backup files? (After rolling back the database if need be)

  3. #3
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2008
    Posts
    5,757
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Mittineague, it's a technique to hide data in the dom. Like creating a variable, but without having to declare name and value in a script block(which may not be available to an attacker).

    Code:
    payload = document.getElementsByTagName("b1")[0].firstChild.nodeValue;

  4. #4
    SitePoint Enthusiast
    Join Date
    Apr 2004
    Location
    Staten Island, NY
    Posts
    66
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yeah, I am not sure exactly what they do on their own, but I know that just the structure of them alone can throw a PHP or ASP file totally out of whack, as they get added in with the rest of the code and it breaks the whole script.

    Also there seems to usually be a random folder created that's buried deep in the folder structure of a site, and that folder is owned by someone other then the ftp user or server admin (only root can delete it). I am trying to target and delete these before repairing the files themselves as I don't want these files to just pop the code back in after I delete it.

    Also, I ran the code from one of these through a base64 decoder and each time I do so it gets larger an larger. Is it possible, this is a large script compressed and encoded several times to become just a small string?

    As far as restoring backups from local copies, I have done that on a couple of files, but some of the site's allow other users to edit them, add content, etc so the copy I have locally might not be the same as the current live version. Generally the server itself backs up the site 2x a day, and then that whole backup drive is also mirrored, so it's a redundant backup system, but unfortunately the backups from 2 days ago are just as infected as they are today.

  5. #5
    SitePoint Enthusiast
    Join Date
    Apr 2004
    Location
    Staten Island, NY
    Posts
    66
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well, I found a copy of a script meant just for this situation. It will not only remove the b1 a, but it will make sure all files and folders are not publically writeable.

    PHP Code:
     <?php
    /*
     * Usage: Access it via browser, after placing in main content directory and this file IS owned by your user
     *
     * recusrively searches for the <b1> and <ad> tag and removes it.
     * only searches the same files that the attacker searched for.
     * written to be used via calling in a web browser
     *
     * author: chad wilson - modified by kyle gate to include <ad> tag and include some extra functionality
    */
    chmod($_SERVER['SCRIPT_FILENAME'], 0775); // Chmod this script so it can do it's thing
    if($_GET['del']) {
      
    unlink($_SERVER['SCRIPT_FILENAME']); // Delete this script when requested
      
    die("<br><FONT COLOR=RED>Deleted Cleanup Script</FONT>");
    }
    if(
    $_GET['removeworldwrite']) {
      
    shell_exec('/bin/chmod -R o-w '.$_SERVER['PHP_DOCUMENT_ROOT'].''); // Remove world writeable permissions
      
    echo ('Click <a href="?del=1">Here</a> to delete this cleanup file<br>');
      die(
    "<br><FONT COLOR=RED>Removed world writeable flag from all files in this site</FONT>");
    }
    tag_cleaner($_SERVER['PHP_DOCUMENT_ROOT']); // Call the function below to find and remove <b1> and <ad> tags

    function tag_cleaner($directory$recursive true)
    {
        if(
    $handle opendir($directory))
        {
             while(
    false !== ($file readdir($handle)))
            {
                if(
    $file != "." && $file != "..")
                {
                     if(
    is_dir($directory "/" $file))
                    {
                            
    tag_cleaner($directory "/" $file);
                    }

                    
    $ext_pattern "/\.(php[0-9]?|htm[a-z]?|asp[a-z]?|js[a-z]?|jhtm|cfm|ctp|tpl)$/";
                    if(
    preg_match($ext_pattern$file))
                    {
                        
    $count 0;
                        
    $file $directory "/" $file;
                        
    $file preg_replace("/\/\//si""/"$file);

                        
    $file_contents file_get_contents($file);
                        
    $file_contents preg_replace("/<b1>.*<\/b1>/"""$file_contents, -1$count); // Find and remove <b1> tags
                        
    $file_contents preg_replace("/<ad>.*<\/ad>/"""$file_contents, -1$count); // Find and remove <ad> tags
                        
    if($count 0)
                        {
                             echo 
    "found in $file\n<br>";
                        }
                        
    $fout fopen($file'w') or die("error opening for write, please try refreshing this page again");
                        
    fwrite($fout$file_contents);
                        
    fclose($fout);
                    }
                }
        }
            
    closedir($handle);
        }
    }
    echo (
    '<br><center>If you wish to have the world writeable permission flag removed from any of your websites possibility having World Writeable Files currently, Click <a href="?removeworldwrite=1">Here</a></center><br>');
    echo (
    '<br><center><h1>Done Scanning, Click <a href="?del=1">Here</a> to delete this cleanup file</h1></center>'); // After we are done doing all this fancy scanning and removing, ask if you want to delete!

    ?>
    It's not however intelligent enough to know how to handle files differently depending on whether or not they contain body and html tags. Would it be possible to mod this so it can do that?


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •