0

我有这个问题:

我网站的各个页面(通常:html、php 和 js)都受到特洛伊木马(基于 NOD32 扫描的 JS/Kryptik.ADZ)的影响。

每种类型的页面中的代码是这样的:

PHP:

#336988#
echo "<script type=\"text/javascript\" language=\"javascript\" > CODE OF MALWARE </script>";
#/336988#

JS:

/*336988*/
CODE OF MALWARE
/*/336988*/

HTML:

<!--336988-->
<script type="text/javascript" language="javascript" >CODE OF MALWARE</script>
<!--/336988-->

所以我使用 Notepad++ 和正则表达式用空白文本替换恶意软件。我的正则表达式是这样的:(<!--|\#|/\*)336988.+/336988(-->|\#|\*/)

但是这个表达式只能找到 HTML。为什么?

我不明白。

如果我的英语和我对正则表达式的了解很差,我很抱歉。

谢谢

卡罗

4

4 回答 4

0

试试这个,我遇到了同样的问题,它奏效了。

/#336988#(.*?)#\/336988#/ism
于 2013-02-05T14:17:18.703 回答
0

试试这个:

'^.*336988.*[\s\S]*.*336988.*$'
于 2013-01-13T14:33:03.067 回答
0

是修复 336988、68c8c7、8f4d8e、a59dc4 的脚本。

于 2013-02-22T11:31:14.857 回答
0

今天我遇到了同样的问题,但代码不同。此代码影响了 aspx、asp、htdocs、html、htm 和 js 文件。下面是我在 Powershell 中修复这些文件的代码。对于 JS 文件,您需要更改行:

    $regex = New-Object System.Text.RegularExpressions.Regex "<!--68c8c7-->((.|\n)*)<!--/68c8c7-->"

至:

    $regex = New-Object System.Text.RegularExpressions.Regex "/\*68c8c7\*((.|\n)*)68c8c7\*/"

和线

    Get-ChildItem . -Recurse -Include *.aspx,*asp,*.html,*.htm | where-object {$_.lastwritetime –gt $DateToCompare} |  %{Write-Host Examining file: $_.fullname; $_} | ForEach-Object { DoWork $_.Name $_.DirectoryName}

至:

    Get-ChildItem . -Recurse -Include *.js | where-object {$_.lastwritetime –gt $DateToCompare} |  %{Write-Host Examining file: $_.fullname; $_} | ForEach-Object { DoWork $_.Name $_.DirectoryName}

下面的代码(这个脚本将创建 Backup_* 文件,毕竟你可以删除这些文件):

function tryFixFile($filepath, $filepathBackup)
{   
    $infile = [string]::join([environment]::newline, (get-content -path $filepath))
    $regex = New-Object System.Text.RegularExpressions.Regex "<!--68c8c7-->((.|\n)*)<!--/68c8c7-->"

    if($regex.IsMatch($infile))
    {
        $intAnswer = $WScriptObject.popup("File needs to be change: " + $filepath + " do you want to continue?", 0,"Change File",4)
        If ($intAnswer -eq 6) 
        {
            Write-Host "  Creating backup for file: "  $filepath
            Copy-Item $filepath $filepathBackup
            $replace = $regex.Replace($infile,"")
            $replace | out-file $filepath
        } else 
        {
            $a.popup("File " + $filepath + " won't be changed.")
        }
    }
}

function DoWork($filename, $directory)
{   
    $filepath = $directory + '\' + $filename
    $filepathBackup = $directory + '\' + "Backup_" + $filename

    $WScriptObject = new-object -comobject wscript.shell

    tryFixFile $filepath $filepathBackup
}



$pathToCheck = Read-Host 'WARNING!! Path to check/change?'
if (Test-Path $pathToCheck)
{
    Set-Location $pathToCheck

    #files were affected no longer that 2 days ago, you can change this
    $DateToCompare = (Get-date).AddDays(-2)

    Get-ChildItem . -Recurse -Include *.aspx,*asp,*.html,*.htm | where-object {$_.lastwritetime –gt $DateToCompare} |  %{Write-Host Examining file: $_.fullname; $_} | ForEach-Object { DoWork $_.Name $_.DirectoryName}
}else
{
    write-host "Path doesn't exist"
}
于 2013-02-22T17:13:38.477 回答