Malicious Javascript code has been inserted into the html pages on one of my huge websites. It is an encrypted string that calls stuff that comes from a .js file on another server.

I want to use perl regex to remove the javascript code. I usually do regex per line, but in this case it is spread over several lines alongside other code. Since the code begins with an opening javascript tag:
<script language=javascript>
And ends with the closing javascript tag:
</script>
I'm thinking that there's probably a way to remove just the javascript code from multiple lines. There is no other javascript in the html pages.

I would prefer that the script goes through all directories and subdirectories in one pass, but I'm not prepared to think that hard today. If I could just learn the regex, I will just do one dir or subdir at a time, and check it.

Thanks anyone!

Here's one method. Load the entire file into a scalar and apply this regex
s~<script language=javascript>.+?</script>~~sg

Are you on a shared server? do you know how the code has been inserted? even if you get the regex to work (and because it's from FishMonger I suspect you will :p ) you should try to plug that opening.

bazz

Here's one method. Load the entire file into a scalar and apply this regex
s~<script language=javascript>.+?</script>~~sg

I loaded the file into a scalar. I even tested it by printing it to browser, but I couldn't get your regex to work. I'm sure it works, I'm just not smart enough to use it.

I finally just used a foreach line regex along with the File::DirWalk module, and successfully automated the task to about 5 seconds.

Thanks for your response.

Happend to me too on the ipowerweb servers (shared) a while back. No idea how but I removed the js code by hand, took a while to find all the pages, still hasn't returned.

Happend to me too on the ipowerweb servers (shared) a while back. No idea how but I removed the js code by hand, took a while to find all the pages, still hasn't returned.

It actually happened on a clients website. It was a shared account. Unix reported a warning awhile back in PureFTP for that account, and I thought it was just another auto update. I checked out the website, and couldn't find anything wrong, so I restarted the FTP server. Guess I should have investigated further. Hard lesson learned I guess.