I would like to know if I can help create the regular expression for this line of code:
document.write('<iframe src="http://msn.com" scrolling="auto" frameborder="no" align="center" height="7" width="7"></iframe>');
what happens is that a virus enter and edit all javascript files (. js) by adding at the end the line of code you mention. I’ll use the script of this publication (http://crear-paginas-web.blogspot.com/2010/04/archivos-php-hackeados-con.html) but I need the new regular expression to implement. I’ve been trying to make it on my own but as I know has paid off:
/document[.]write\(\'\<iframe src\=\"http\:\/\/(msn.com)\" scrolling\=\"auto\" frameborder\=\"no\" align\=\"center\" height\=\"7\" width\=\"\7\"\>\<\/iframe\>+\'\);/
I hope you can help me, greetings.
This regex will match your specific string:
http://regexr.com?32k7v
Note that if there is a minimum variation in the markup then it won’t match. You’ll most likely have replace the address with a properly escaped version of your offending script’s address.
If you want a more general regex, to match all
document.writewhich writesiframewith a given URL, you can use:http://regexr.com?32k85
Note that if your website has many pages, it will be hard to be sure that there are no remains of the attack. Hence I’d still suggest restoring a backup of the files if you have any.