views:

60

answers:

2

Been hit with some nasty javascript malware on my site. I know that each offending code block starts with the following:

<script language=javascript><!-- 
(function()

and ends with

</script>

I'd like to remove the nasty bits via regex on windows, using some sort of freeware regex replacement tool. Any suggestions here? Thank You much.

+1  A: 

You might want to try UltraEdit, it has a built-in regular expression search/replace that works well. Also I believe the demo works for 30 days.

If you just want to remove all Javascript blocks from your pages, you would search for:

<script language=javascript><!--[\s\S\p]+</script>

(\s = whitespace, \S = non-whitespace, \p = newline characters)

Make sure you have the regular expressions box checked in the search/replace dialog.

Edit

Add to the regular expression that after <script> should follow <!-- (I altered the above example) and you'll get only those <script> sections that include a comment immediately following the opening tag.

JYelton
Thanks, but I need to only remove the code block that has the opening comment with the function, not all script blocks.
jeff
Edited example to match what you're looking for.
JYelton
+1  A: 

I think you should use configure Privoxy (http://privoxy.org). It uses the PCRE library and is available for Windows. In order to filter you should do the following:

  1. In the Privoxy configuration directory add

    FILTER: my-js-purger
    s@<script\s+language=javascript><!--\s+(function().*?</script>@@s
    

    to user.filter file,

  2. Add

    { +filter{my-js-purger} }
    /
    

    to user.action file (replace / with the names of sites you want to apply filter to, or leave it as is if you want to apply it to all sites).

  3. Ensure that there are uncommented lines

    listen-address 127.0.0.1:8118
    actionsfile user.action
    filterfile user.filter
    

    in config file (I believe it is safe to just add them at the end of config file regardless whether they already exist).

  4. Start privoxy.

  5. Configure your browser to use 127.0.0.1:8118 as a http/https proxy server.

ZyX