Iframe hack remover

Posted by Unknown at 00:08

iframe hack find and remover


uses all memory:


#!/usr/bin/perl


#This code is intended to be used to find injected iframes or javascript in user’s home directories
#You will most certainly have to adjust the pattern matching based on the current “hot” injected code
#Free software licensed under the GPL.
#USE AT YOUR OWN RISK, THIS MODIFIES PAGE CONTENT!


use strict;
use warnings;
use File::Listing;
use File::Find;


##### Search strings (injected code)


my $jsinject=”[\< \>=a-zA-z ]+function+[dc\(\)x ]+.+< \/script\>“;
my $iframeexp=”[\IFRAMEiframe]“;


##### What to replace the iframe with
my $replace = ”;


##### Log found files? (0 = No, 1 = Yes)
my $logfiles = 1;


##### Where to log?


my $logpath = “/home\/injection.log”;


##### Backup files just in case?


my $backup = 1;


#################Let’s Go ####################


find(\&wanted, ‘/home’);


sub wanted {
my $fullname = $File::Find::name;
next if (stat $fullname)[7] >= 1_000_000;
open(FILE, “< $fullname") or warn "cannot open $fullname";
my @readin = ;
close(FILE);
my @backup = @readin;


my $matched = 0;


foreach (@readin){
if( $_ =~ /$jsinject/) {
print “Found Match in $fullname\n”;
$_ =~ s/$jsinject/$replace/g;
$matched = 1;
if ($logfiles == 1) {
open(LOG, “>>$logpath”) or warn “cannot open $logpath”;
print LOG “Javascript injection found in $fullname\n”;
close(LOG);
}
}
if( $_ =~ /$iframeexp/) {
print “Found Match in $fullname\n”;
$_ =~ s/$iframeexp/$replace/g;
$matched = 1;
if ($logfiles == 1) {
open(LOG, “>>$logpath”) or warn “cannot open $logpath”;
print LOG “IFRAME found in $fullname\n”;
close(LOG);
}
}
}
if ($matched == 1){
my $backupfile = $fullname . “.bck”;
open(FILE, “>$backupfile”) or warn “cannot open file”;
foreach(@backup){
print FILE $_;
}
close(FILE);
open(FILE, “>$fullname”) or warn “cannot open file”;
foreach (@readin){
print FILE $_;
}
close(FILE);
}
}


—-


my $fullname = $File::Find::name;
next if ( $fullname !~ m{ \. ( php | htm | html ) \z }ixms );
next if (stat $fullname)[7] >= 1_000_000;
open(FILE, “<$fullname") or warn "cannot open $fullname";

Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)