Iframe hack remover

iframe hack find and remover

uses all memory:

#!/usr/bin/perl

#This code is intended to be used to find injected iframes or javascript in user’s home directories
#You will most certainly have to adjust the pattern matching based on the current “hot” injected code
#Free software licensed under the GPL.
#USE AT YOUR OWN RISK, THIS MODIFIES PAGE CONTENT!

use strict;
use warnings;
use File::Listing;
use File::Find;

##### Search strings (injected code)

my $jsinject=”[=a-zA-z ]+function+[dc()x ]+.+“;
my $iframeexp=”[IFRAMEiframe]“;

##### What to replace the iframe with
my $replace = ”;

##### Log found files? (0 = No, 1 = Yes)
my $logfiles = 1;

##### Where to log?

my $logpath = “/home/injection.log”;

##### Backup files just in case?

my $backup = 1;

#################Let’s Go ####################

find(&wanted, ‘/home’);

sub wanted {
my $fullname = $File::Find::name;
next if (stat $fullname)[7] >= 1_000_000;
open(FILE, “< $fullname") or warn "cannot open $fullname";
my @readin = ;
close(FILE);
my @backup = @readin;

my $matched = 0;

foreach (@readin){
if( $_ =~ /$jsinject/) {
print “Found Match in $fullnamen”;
$_ =~ s/$jsinject/$replace/g;
$matched = 1;
if ($logfiles == 1) {
open(LOG, “>>$logpath”) or warn “cannot open $logpath”;
print LOG “Javascript injection found in $fullnamen”;
close(LOG);
}
}
if( $_ =~ /$iframeexp/) {
print “Found Match in $fullnamen”;
$_ =~ s/$iframeexp/$replace/g;
$matched = 1;
if ($logfiles == 1) {
open(LOG, “>>$logpath”) or warn “cannot open $logpath”;
print LOG “IFRAME found in $fullnamen”;
close(LOG);
}
}
}
if ($matched == 1){
my $backupfile = $fullname . “.bck”;
open(FILE, “>$backupfile”) or warn “cannot open file”;
foreach(@backup){
print FILE $_;
}
close(FILE);
open(FILE, “>$fullname”) or warn “cannot open file”;
foreach (@readin){
print FILE $_;
}
close(FILE);
}
}

—-

my $fullname = $File::Find::name;
next if ( $fullname !~ m{ . ( php | htm | html ) z }ixms );
next if (stat $fullname)[7] >= 1_000_000;
open(FILE, “<$fullname") or warn "cannot open $fullname";