Finding and deleting defaced files

thomasdk81

thomasdk81

Verified User
Joined
Oct 3, 2010
Messages
56
Location
Denmark
Hi,

My server got defaced(all index.* files where replaced with a hackers message) some time ago.
I got all the site up and running again, but there are still some index.* files left which aren't used but still deface.

I run this and I get a list of all the files that are defaced:
Code: 
find . -name "index.*" | xargs grep 'OwNeD' -sl

How do I delete the files found or better just clear the contents of the file.

Another issue I just got a notice about is that the links in PHP error messages, links to a defaced file. I don't know where these are stored and they aren't found by the cmd above.

Example:
Code: 
Warning: require_once() [function.require-once]: URL file-access is disabled in the server configuration
The link is on the [function.require-once] part.

You can see and example here !!NOTICE THIS IS A DEFACED PAGE WITH POTENTIALLY BAD LINKS!! bifrost-terenas.dk/index2.php
 
You would have to write a script to remove the bad code.
 
@Scsi: not really that usefull :)

Doesn't anybody know where the PHP error text etc. is stored?
And how to delete the find results?
 
thomasdk81 said:
Hi,

My server got defaced(all index.* files where replaced with a hackers message) some time ago.
I got all the site up and running again, but there are still some index.* files left which aren't used but still deface.

I run this and I get a list of all the files that are defaced:
Code: 
find . -name "index.*" | xargs grep 'OwNeD' -sl
How do I delete the files found or better just clear the contents of the file.
Click to expand...
Pipe through another xargs command to delete the file, or to copy in a blank file.

Jeff
 
You must log in or register to reply here.
Back
Top