Home/ Questions/Q 8614707
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-12T05:11:06+00:00

It seems like some malicious script have found it’s way onto the server where

  • 0

It seems like some malicious script have found it’s way onto the server where I hold my webpages. I have several accounts and they are all “infected” (not sure if this is the right word).

Anyway. All index.php files have been prepended with the following code:

<marquee style="position: absolute; width: 0px;">
<a href="http://istanbulescort-ilan.com/" title="escort bayan">escort bayan</a>
<a href="http://istanbulescort-ilan.com/" title="bayan escort">bayan escort</a>
<a href="http://ankaraescortlari.org/" title="ankara escort">ankara escort</a>
<a href="http://ankaraescortlari.org/" title="ankara escort bayan">ankara escort bayan</a>
<a href="http://ankaraescortlari.org/" title="escort ankara">escort ankara</a>
...
<a href="http://hurhaberci.com" title="son haberler">son haberler</a>
</marquee>

This code messes up headers and web pages don’t render well. Not to mention I have some escort services links on all of my webpages.

I’ve found this script, but I’m not sure how to correctly modify it to remove all of the above code from all index.php files on each of accounts on the server. I don’t want to run it and then find out I have to restore hudge backup.

for i in /directory/*.java
do
   # echo 'Working on $i file'
   copy $i tempfil.txt
   sed   -e '/\} catch/,/^\}/d' tempfil.txt > $i
done

[EDIT]

Ok, so I managed to scrape this together. Can someone please just confirm it will work or give any suggestions about what should be changed?

read -d '' hacked <<"EOF"
<marquee style="position: absolute; width: 0px;">
<a href="http://istanbulescort-ilan.com/" title="escort bayan">escort bayan</a>
...
<a href="http://gidasayfasi.com" title="gida">gida</a></marquee>
EOF
find -name \*.php | xargs replace ${hacked} ""  --
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    To delete prepended text (assuming there is not something useful inside the prepended text):

    sed '/<marquee/,/marquee>/ d' index.php

    /EXP1/, /EXP2/ d means that sed matches lines between expression EXP1 and expression EXP2, then apply action ‘d’ (which is ‘delete’).

    Hope this helps.

    —- edit according to the comment below —
    —- there may be correct code inside the malicious one —-
    You can imagine to copy/paste the portion of text to delete in a text file name ‘tobedeleted.txt’. Then write the following script process.sh (where $1 is the file to clean up)

    #/bin/bash
diff --suppress-common-lines $1 tobedeleted.txt | grep -e '^<' | sed 's/^< //'

    the diff command above show you only the difference between the reference malicious code and the content of file $1. The difference is computed line by line and shows a markup character ‘< ‘ before the line (see man diff).
    Please try this command first.

    You can call the script (do a chmod u+x process.sh first to make it executable) and redirect the result into another script, for example:

    process.sh index.php > new_index.php

    So, to correct a large number of files, do a script like:

    #/bin/bash
find . -name "*.php" | while read pathfile
do
   file=${pathfile##*/} # remove the path from the fullpath to the file
   pathonly=${pathfile%/*} # keep only the path
   cp $pathfile ${pathonly}/${file}.org # copy original file to save it, in case of...
   process.sh  ${pathonly}/${file}.org > ${pathfile} # apply correction
done
    • 0