0

My website has been hacked, with the effect being the addition of a script (vbScript, I think) just before the /body tag on certain pages. I can select all of the pages which are targeted using 

$files=get-childitem . -recurse -include $a |  where {$_.LastWriteTime -gt
[datetime]::parse("08/14/2011")}

where $a is an array of file specs. I would like to run each of these files through a get-content|-replace|set-content pipeline, but I can't get the -replace arguments right. Basically, I want to replace everything between the and tags, including the tags, with blank space or an HTML comment. I'm pretty sure this can be solved with regex, but I just can't get it right - something like:

foreach ($f in $files)
{(get-content $f)|foreach-object {$_ -replace "<script>\w+</script>","<!--Script Replaced-->"}|set-content $f}

Thanks in advance,

Eric F

Improve this question
1
  • A preventative measure for the future, maintain multiple backups (and keep many of them). Another simple option if your site isn't complex is to check-in those backups to some kind of source control. You can then see when the change occurred and what changed. Plus you can remove those edits while still keeping good changes that may have happened afterward. Commented Aug 18, 2011 at 16:24

1 Answer 1

Reset to default
1

Disclaimer: Regex is not HTML parser. You will run into corner cases.

The script tags are probably multiline, so you want to:

1) Get all the lines of the file ( get-content and piping it like you have done will only process line-by-line )

2) Use a regex that can replace / process over multiple line ( the regex you have used will only look within a single line)

So you can try something like below for getting the content and replacing the tags:

$content = [System.IO.File]::ReadAllText($f)
$content -replace "(?s)<script>.+?</script>","" | out-file $f
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.