Recovering from an iframe injection hack

From DreamHost

Jump to: navigation, search
The instructions provided in this article or section require shell access unless otherwise stated.

You can use the PuTTY client on Windows, or SSH on UNIX and UNIX-like systems such as Linux or Mac OS X.
Your account must be configured for shell access in the Control Panel.
More information may be available on the article's talk page.

If you've been a victim of an iframe injection attack, you'll be looking for an easy way to reverse the damange done.

Be sure to backup your data! Also be sure to secure whatever was broken and allowed this to happen (old scripts, hacked login details etc).

First command can be used to search for affected files. 

find . -type f | xargs grep -l '<iframe.*statanalyze.cn.*iframe'

Second command to does search and replace on matched iframe text only. 

find . -type f -exec sed -i 's/<iframe.*statanalyze.cn.*iframe>//g' {} \;

Adjust contents of the iframe regexp to suit, in this example it is: statanalyze.cn

External Links

Retrieved from "http://wiki.dreamhost.com/Recovering_from_an_iframe_injection_hack"
Personal tools