In regards to my post on the iframe hack I mentioned searching through the files and replacing the injected script. We didn’t search by hand. We used an application that scans files and looks for search string. It’s called Actual Search and Replace and worked great.
You can search for a single line of text or multiple lines. Multiple lines helped a lot since the script came in a multi line form as well as single. You can also search for wildcards, instead of just searching all index.html files you can use index.* that way you get index.cfm, index.php, etc.
The hacker must have got wise to this because he started inserting the script on the ending line of code instead of one line below it. So we’d get something like this.
</html><script>I
am
a
bad
script
</scritp>
Our normal method of searching for
<script>I
am
a
bad
script
</scritp>
No longer worked because the starting line included <html>. No big deal, we just searched for this instead.
</html><script>I
am
a
bad
script
</scritp>
Then replaced it with </html>. We had to do that for php ?> and asp <%> as well.
