Clean server infected with c3284d virus, using search and replace
awk 'BEGIN { clean=1 } /#c3284d#/ { clean=0 } /#\/c3284d#/ { clean=1 } { if (clean==1 && match($0,"#\/c3284d#") == 0) { print $0 } }' dirty-file > clean-file
That's a mouthful but it does the trick:
$ cat <<'EOF' | awk 'BEGIN { clean=1 } /#c3284d#/ { clean=0 } /#\/c3284d#/ { clean=1 } { if (clean==1 && match($0,"#\/c3284d#") == 0) { print $0 } }'
> foo
> #c3284d#
> bar
> baz
> #/c3284d#
> quux
> EOF
foo
quux
Clean server infected with c3284d malware, using shell script
well in 2 stages this is achievable
in above example there was 2 occurances ? for 2 delit is called 3 times (to catch last instance of it) how ever many instances + 1 times delit needs to be called within the bottom of for loop
cd webpath;
grep -r c3284d *|awk -F":" '{print $1}'|grep -v fix.sh|sort|uniq > infected.txt
./fix.sh infected.txt
this is all the files in infected.txt now fixed
this is actual scipt
fixit.sh
#!/bin/bash
inputfile=$1;
pattern1='c3284d';
pattern2='c3284e';
function addreturn() {
in1="<!--c3284d-->"
out1="
c3284d
";
in=$in1 out=$out1 perl -pi.nk -e 's/\Q$ENV{"in"}/$ENV{"out"}/g' $file
in1="<!--/c3284d-->"
out1="
c3284d
";
in=$in1 out=$out1 perl -pi.nk -e 's/\Q$ENV{"in"}/$ENV{"out"}/g' $file
in1="/*c3284d*/"
out1="
c3284e
";
in=$in1 out=$out1 perl -pi.nk -e 's/\Q$ENV{"in"}/$ENV{"out"}/g' $file
in1="/*/c3284d*/"
out1="
c3284e
";
in=$in1 out=$out1 perl -pi.nk -e 's/\Q$ENV{"in"}/$ENV{"out"}/g' $file
}
function delit () {
echo "Working on $file"
delids=`egrep -n "($pattern)" $file|awk -F":" '{print $1}'|tr "\n" " "`
echo $delids;
delarray=( $delids )
val1=${delarray[0]}
val2=${delarray[1]}
if [ "$val2" == "" ]; then
val2=`expr $val1 + 1`
fi
doit=$val1","$val2"d"
ed -s $file << EOF
$doit
.
w
q
EOF
}
for file in `cat $inputfile`
do
addreturn;
pattern=$pattern1
delit;
pattern=$pattern2;
delit;
done
E2A - WARNING this is using ed to find the line numbers of instances and then actually edit file live and remove between the lines so please backup your content before attempting this
16th Sunday
I tested the old script again this time I put text withineach of the cp3842 and found it was removing text or content between the first call and second call.
Script has now been updated above, I have done some replacing of the tags and inserted extra carriage returns, the reason content between first call 2nd call went missing was due to me doing a -- on val2. This now splits first chunk as original id, the second chunk as cp384e changes d to e then does a delit twice depending on pattern.
This does work I have tested it
$ cp ../test1.pp ./
$ grep -n c3284d test1.pp |awk '{print $1}'
3:<!--c3284d--><script>function
8:/*c3284d*/
10:/*/c3284d*/
$ grep -n AAA test1.pp
1:AAAAAAAAAAAAAAAA
2:AAAAAAAAAAAAAAA
$ grep -n BBB test1.pp
5:BBBBBBB
6:BBBBBB
$ grep -n CCC test1.pp
11:CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
12:CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
$ ./fix1.sh infected.txt
Working on test1.pp
4 6
Working on test1.pp
10 14
$ grep -n c3284d test1.pp |awk '{print $1}'
$ grep -n AAA test1.pp
1:AAAAAAAAAAAAAAAA
2:AAAAAAAAAAAAAAA
$ grep -n BBB test1.pp
6:BBBBBBB
7:BBBBBB
$ grep -n CCC test1.pp
11:CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
12:CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
$
Sed regexp multiline - replace HTML
While @nhahtdh's answer is the correct one for your original question, this solution is the answer to your comments:
sed '
/<!-- PAGE TAG -->/,/<!-- PAGE TAG -->/ {
1 {
s/^.*$/Replace Data/
b
}
d
}
'
You can read it like so:
/<!-- PAGE TAG -->/,/<!-- PAGE TAG -->/
-> for the lines between these regexes
1 {
-> for the first matching line
s/^.*$/Replace Data/
-> search for anything and replace with Replace Data
b
-> branch to end (behaves like break in this instance)
d
-> otherwise, delete the line
You can make any series of sed commands into one-liners with gnu sed by adding semicolons after each command (but it's not recommended if you want to be able to read it later on):
sed '/<!-- PAGE TAG -->/,/<!-- PAGE TAG -->/ { 1 { s/^.*$/Replace Data/; b; }; d; };'
Just as a side note, you should really try to be as specific as possible in your posting. "replaced/removed" means "replaced OR removed". If you want it replaced, just say replaced. That helps both those of us trying to answer your question and future users who might be experiencing the same issue.
Getting Error while sending the email in .NET
There isn't anything wrong with your code. This part of the error message:
4.3.2 Service not available, closing transmission channel
Is actually coming from your mail server, and the framework is simply passing the error message on to your application, and throwing it as part of the exception.
4.x.x errors are usually temporary, and are meant to be retried. Typically mail servers are overloaded when they throw a 400 error.
Related Topics
Need to Get the Dates of All Mondays in a Year
Keep Meteor Running on Amazon Ec2
Does Linking an '-Lpthread' Changes Application Behaviour? (Linux, Glibc)
Sub-Shell Differences Between Bash and Ksh
Get Parent Directory of a File in Bash
How to Install a Rpm Package and Its Dependencies Offline
Bash - Surround All Array Elements or Arguments with Quotes
Arm Inline Asm: Exit System Call with Value Read from Memory
How to Set Cronjob with Non-Root User
Zsh Menu Completion Causes Problems After Zle Reset-Prompt
Populate a Ms Access Database in Linux
Printing Current Time in Milliseconds or Nanoseconds with Printf Builtin