Here is an article that really helped me getting my server back up and running.
HTML:Iframe-inf wordpress Infection
If your blog has been infected by the HTML:Iframe-inf infection according to avast here are two scripts that can help you.
FirstWhat is the HTML:Iframe infection?– Its just a line of text that is inserted at the end of every index.php and/or index.htm in your website. Nothing to freak out about but you want to fix it. And Its probably due to wordpress not being secure.
Anyways, here is what you do : This is something you run on the commmand line – See the video below for an idea.
You will need to find infected files first.
find / -type f | xargs grep -l ‘<iframe’ 2>/dev/null or you could print out a list of files possibly comprimised. by typing find / -type f | xargs grep -l ‘<iframe’ 2>/dev/null >infectedFileslist.txt
The first step is figuring out what is going on with your virus infection.
If you know the time frame of when the virus ran then you could narrow the list of infected files even more by tweaking the find command.
Lets say you know it infected your website about 5 days ago.
Then you would modify the find command to search all files modified less than 10 days ago.
find / -type f -mtime -10 | xargs grep -l ‘<iframe’ 2>/dev/null >infectedFileslist.txt
More info on the find command here
http://content.hccfl.edu/pollock/Unix/FindCmd.htm my short version find . -mtime +5 -mtime -10 # find files modifed between 5 and 10 days ago Ok so now you have a list of infected files … This is VERY HELPFUL as you are halfway there to cleaning up your server.
Remove infected text
find / -type f -mtime -10 | xargs grep -l ‘<iframe’| xargs perl -pi -e ‘s/^.*\<iframe.*$/ /g’ Here is an explanation of what the script does line by line so you can adjust per your situation. find / -type f -mtime -10 – looks all files that were modified in the last 10 days ( you adjust as needed) xargs grep -l ‘<iframe’ – of that list of files modified recently look for a line that says <iframe xargs perl -pi -e ‘s/^.*\<iframe.*$/ /g’ – search and replace that line with a blank space Understanding this last line – perl -pi -e is important — http://www.linux.org/lessons/short/perlpie/perl_pie.html You want to be sure that you know whats going on there because this is where the search and the replace happens – Check out this article — http://www.linux.org/lessons/short/perlpie/perl_pie.html You can modify the script line by line to
Here is a video explaining this:
My Contribution:
You can also use this linux command to find files that were changed in last 10 days
find /directory-path-to-search-files-from/ -type f -mtime -10 > infectedFileslist.txt
find . -name "*.js" > /home/star/public_html/infectedJSlist.txt
grep command: Recursively Search All Files For A String
cd /path/to/dir
grep -r "word" .
grep -r "string" .
Ignore case distinctions:
grep -ri "word" .
To display print only the filenames with GNU grep, enter:
grep -r -l "foo" .
You can also specify directory name:
grep -r -l "foo" /path/to/dir/*.c
find command: Recursively Search All Files For A String
find command is recommend because of speed and ability to deal with filenames that contain spaces.
cd /path/to/dirOlder UNIX version should use xargs to speed up things:
find . -type f -exec grep -l "word" {} +
find . -type f -exec grep -l "seting" {} +
find . -type f -exec grep -l "foo" {} +
find /path/to/dir -type f | xargs grep -l "foo"
It is good idea to pass -print0 option to find command that it can deal with filenames that contain spaces or other metacharacters:
find /path/to/dir -type f -print0 | xargs -0 grep -l "foo"
I found this command to be really helpful if you are not certain if its an iframe attack or not.
