Recovering from an iframe injection hack

From DreamHost
Jump to: navigation, search
The instructions provided in this article or section require shell access unless otherwise stated.

You can use the PuTTY client on Windows, or SSH on UNIX and UNIX-like systems such as Linux or Mac OS X.
Your account must be configured for shell access in the Control Panel.
More information may be available on the article's talk page.


If you've been a victim of an iframe injection attack, use the following steps to reverse the damage.

Note: Backup your data prior to beginning this procedure! Also be sure to secure whatever was broken and allowed this to happen (old scripts, hacked login details etc).

Use the following command to search for affected files.

find . -type f | xargs grep -l '<iframe.*statanalyze.cn.*iframe'

Next, use the following command to search and replace on matched iframe text only.

find . -type f -exec sed -i 's/<iframe.*statanalyze.cn.*iframe>//g' {} \;

Adjust the contents of the iframe regexp to suit. In this example it is: statanalyze.cn

Handling filenames with blanks

The commands above will not work if you have filenames with blanks in their names. To edit these, use the following commands:

find . -type f -print0 | xargs -0 grep -l '<iframe.*statanalyze.cn.*iframe'
find . -type f -exec sed -i 's/<iframe.*statanalyze.cn.*iframe>//g' "{}" \;

--Eob 19:13, 31 March 2010 (UTC)

External Links