On 16 September 2014 23:54, Gareth France <[email protected]> wrote:
> > >> Quoting from my 1979 Unix manual Brian W Kernigan (who is the K in awk) >> says 'there is nothing sacred about slashes' so you can do s?http:// >> ?https://? In other words 'any character can be used to delimit the >> pieces of the s command' It can save a lot of back slash escaping. >> >> Tony >> >> Thank you to everyone for their help. Part of the issue is that the > offending text is massive and contains pretty much anything I could use as > a delimiter. However I found a gui tool to do the job and the clean files > are uploading now. > > The only remaining question is how did it get there to begin with? It was > present on the 4th September but not in mid August. > > There are any number of ways it could have happened but broadly speaking it will be some detectable exploit by which something could be put on the server that could change your scripts. If you're using something common like Wordpress or Joomla there are frequent exploits that are generally detected and fixed fairly quickly but mean that you must keep on top of updates of core applications and plugins, but equally common are scanning methods that detect weak mail forms, upload scripts (often common free ones for example) and similar things and exploit them. A quick detection method would be to find any files added since mid August, particularly in locations where you wouldn't expect them to be. s/ -- Twitter: @sfgreenwood "TBA are particularly glib"
-- [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
