Problem with regex replace in pages html, php and javascript affected by trojan horse
437 views
Skip to first unread message
Carlo Lombardo
Jan 13, 2013, 5:02:42 AM1/13/13
to re...@googlegroups.com
Hi there, i have this problem:
Various pages of my site (tipically: html, php and js) are affected by a trojan horse (JS/Kryptik.ADZ for NOD32).
The code in each type of page is like this:
PHP:
JS:
HTML:
So i use Notepad++ and regex to replace malware with blank text.
My regex is this:
But only HTML is found by this expression. Why?
I don't understand.
I'm sorry if my english and my knowledge of regex is poor.
Thanks
Carlo
Various pages of my site (tipically: html, php and js) are affected by a trojan horse (JS/Kryptik.ADZ for NOD32).
The code in each type of page is like this:
PHP:
#336988#
echo "<script type=\"text/javascript\" language=\"javascript\" > CODE OF MALWARE </script>";
#/336988#
JS:
/*336988*/
CODE OF MALWARE
/*/336988*/
HTML:
<!--336988-->
<script type="text/javascript" language="javascript" >CODE OF MALWARE</script>
<!--/336988-->
So i use Notepad++ and regex to replace malware with blank text.
My regex is this:
(<!--|\#|/\*)336988.+/336988(-->|\#|\*/)
But only HTML is found by this expression. Why?
I don't understand.
I'm sorry if my english and my knowledge of regex is poor.
Thanks
Carlo
Eugeny Sattler
Jan 13, 2013, 1:53:34 PM1/13/13
to re...@googlegroups.com
Hi Carlo
^(#|\/\*|\<!--)336988(#|\*/|-->)\r\n.+?\r\n(#/|/\*/|<!--/)336988(#|\*/|-->)
the above RE works in PovverGREP
> --
> --
> Sub, Unsub, Read-on-the-web, tune your personal settings for this Regex
> forum:
> http://groups.google.com/group/regex?hl=en
>
>
>
^(#|\/\*|\<!--)336988(#|\*/|-->)\r\n.+?\r\n(#/|/\*/|<!--/)336988(#|\*/|-->)
the above RE works in PovverGREP
> --
> Sub, Unsub, Read-on-the-web, tune your personal settings for this Regex
> forum:
> http://groups.google.com/group/regex?hl=en
>
>
>
Franco D'Agostino
Feb 22, 2013, 6:46:20 AM2/22/13
to re...@googlegroups.com
Hi I've same problem and I've posted on StackOverflow a script that solve, I hop can help
Prashant Patole
Mar 11, 2013, 4:48:38 AM3/11/13
to re...@googlegroups.com
for HTML
find string is
(?<=<!--336988-->[\r\n\s]+<script type="text/javascript" language="javascript" >)(?:[^[<]+)+(?=</script>\s*<!--/336988-->)
replace string is blank
for JS
find string is
(?<=/\*336988\*/\s*).+(?=\s*/\*/336988\*/)
replace string is blank
for PHP
find is
(?<=#336988#[\r\n\s]+echo\s+"<script type=\\"text/javascript\\" language=\\"javascript\\" >)(?:[^[<]+)+(?=</script>";\s*#/336988#)
and replace is blank.
On Fri, Feb 22, 2013 at 5:16 PM, Franco D'Agostino <franco...@gmail.com> wrote:
Hi I've same problem and I've posted on StackOverflow a script that solve, I hop can help
--
--
Sub, Unsub, Read-on-the-web, tune your personal settings for this Regex forum:
http://groups.google.com/group/regex?hl=en
---
You received this message because you are subscribed to the Google Groups "Regex" group.
To unsubscribe from this group and stop receiving emails from it, send an email to regex+un...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Reply all
Reply to author
Forward
0 new messages