Remove infected code from JS files

Question

My site got infected and I want to remove the unwanted code from all infected files.

There is a pattern:

/*121c0a16cd66a0ab6181d5bd14b69c9d*/ MALWARE CODE /*121c0a16cd66a0ab6181d5bd14b69c9d*/

So I need to find all files wich contains the string, which is good with:

find . -type f | xargs grep "121c0a16cd66a0ab6181d5bd14b69c9d" -l

Than I need to delete everything inside the 2 pattern and delete the patterns to. So read the file, edit the file and save it.

If the file contains only the malware code, we can delete the file too.

Any help appreciated :). Thanks.

Answer 1

Thanks for the suggestions. I already using WordFence :). I have solved the issue with these two lines of code:

Recursively search all folders for JS files - run it from current directory - add a new line character before Malware code:

find . -name "*.js"  -exec sed -i "s/\/\*121c0a16cd66a0ab6181d5bd14b69c9d\*\//\n&/g" '{}' \;  

Then delete the malware code:

find . -name "*.js"  -exec sed -i "/121c0a16cd66a0ab6181d5bd14b69c9d/,/121c0a16cd66a0ab6181d5bd14b69c9d/d" '{}' \;

The guidance is from here, good article: https://linuxacademy.com/blog/linux/cleaning-javascript-malware-on-your-linux-server-removing-javascript-between-two-points/

Answer 2

You can restore a clean backup and I would install the Wordfence plugin. So that he can do the job and scan all the files in your directory and it tells you which one has changed and how it changed. And with it you can delete the junk page or restore it