iframe / gariben hack find and removers. iframe / gariben is a script kiddie code added usually via a cracked password or hidden mysql code added to a vulnerable script. I usually refreshes the web page to some sort of web page that downloads a virus.
1.
find /home/username \( -name “*.php” -o -name “*.html” -o -iname “*.htm” \) -exec grep -l “abced” {} \; -exec sed -i “/”abced”/d” {} \;
This is one line of code that will search and remove the line that has the code commonly used with iframe attacks.
2.
This is a script that searches more thoroughly and finishes with a report. But this does not work on all systems and has been known to use the server full memory.
#!/usr/bin/perl
#This code is intended to be used to find injected iframes or javascript in user’s home directories
#You will most certainly have to adjust the pattern matching based on the current “hot” injected code
#Free software licensed under the GPL.
#USE AT YOUR OWN RISK, THIS MODIFIES PAGE CONTENT!use strict;
use warnings;
use File::Listing;
use File::Find;##### Search strings (injected code)
my $jsinject=”[\< \>=a-zA-z ]+function+[dc\(\)x ]+.+< \/script\>”;
my $iframeexp=”[\IFRAMEiframe]”;##### What to replace the iframe with
my $replace = ”;##### Log found files? (0 = No, 1 = Yes)
my $logfiles = 1;##### Where to log?
my $logpath = “/home\/injection.log”;
##### Backup files just in case?
my $backup = 1;
#################Let’s Go ####################
find(\&wanted, ‘/home’);
sub wanted {
my $fullname = $File::Find::name;
next if (stat $fullname)[7] >= 1_000_000;
open(FILE, “< $fullname”) or warn “cannot open $fullname”;
my @readin = ;
close(FILE);
my @backup = @readin;my $matched = 0;
foreach (@readin){
if( $_ =~ /$jsinject/) {
print “Found Match in $fullname\n”;
$_ =~ s/$jsinject/$replace/g;
$matched = 1;
if ($logfiles == 1) {
open(LOG, “>>$logpath”) or warn “cannot open $logpath”;
print LOG “Javascript injection found in $fullname\n”;
close(LOG);
}
}
if( $_ =~ /$iframeexp/) {
print “Found Match in $fullname\n”;
$_ =~ s/$iframeexp/$replace/g;
$matched = 1;
if ($logfiles == 1) {
open(LOG, “>>$logpath”) or warn “cannot open $logpath”;
print LOG “IFRAME found in $fullname\n”;
close(LOG);
}
}
}
if ($matched == 1){
my $backupfile = $fullname . “.bck”;
open(FILE, “>$backupfile”) or warn “cannot open file”;
foreach(@backup){
print FILE $_;
}
close(FILE);
open(FILE, “>$fullname”) or warn “cannot open file”;
foreach (@readin){
print FILE $_;
}
close(FILE);
}
}—-
my $fullname = $File::Find::name;
next if ( $fullname !~ m{ \. ( php | htm | html ) \z }ixms );
next if (stat $fullname)[7] >= 1_000_000;
open(FILE, “<$fullname”) or warn “cannot open $fullname”;