PHP / SSH regex script / command to remove identical malicious code from many files

Question

PHP / SSH regex script / command to remove identical malicious code from many files

I have a virus that has infected thousands of files on one of my client servers.

Fortunately, I had a lot of other malware on this magarot server, and this one looks easy to make a simple regular expression (he put all his sites in one account :( but I work with him to solve this problem).

Basically, unlike most malware, I saw where it enters php before closing? > GOOD code (which is very difficult to determine what is good code / bad code), this current ALWAYS malware adds a new one <?php ... malware ... ?>.

So basically, let's say there is good code:

<?php
require('./wp-blog-header.php'); 
?>

Instead of adding some kind of base64_decode eval right after the require statement, but before ?? (which may make it difficult to delete when the page ends in a conditional / complex statement), it will always add the following code with NEW <?php ... ?>as follows:

<?php
require('./wp-blog-header.php'); 
?><?php ... malware ...?>

I do not want to put any malicious code here, but this is how the malicious code always runs:

<?php @error_reporting(0); if (!isset($eva1fYlbakBcVSir)) {$eva1fYlbakBcVSir = "tons and tons of characters";$eva1tYlbakBcVSir = "\x6335\1443\3x6f\1534\x70\170\x65";$SNIPSNIPSNIPSNIP;} ?>

I would like to search every file for <?php @error_reporting(0); if (!isset, and if this is the last PHP statement on the page, then delete everything in

+3

security php regex wordpress

Tallboy May 02, '12 at 22:18

source share

2 answers

( mvds)

sed -e "s/<?php @error_reporting.*?>//g" --in-place=_cleaned *

-in-place = _cleaned sed: illegal option -- -

+1

Tallboy 02 '12 22:43

Lawrence Cherone · Accepted Answer · 2012-05-02T22:46:31+0000

This is how you clean up the whole project with pure php.

, , , , , , , , , ; , ; , , , .;

<?php 
//Enter it as it is and escape any single quotes
$find='<?php @error_reporting(0); if (!isset($eva1fYlbakBcVSir)) {$eva1fYlbakBcVSir =\'\';?>';

echo findString('./',$find);

function findString($path,$find){
    $return='';
    ob_start();
    if ($handle = opendir($path)) {
        while (false !== ($file = readdir($handle))) {
            if ($file != "." && $file != "..") {
                if(is_dir($path.'/'.$file)){
                    $sub=findString($path.'/'.$file,$find);
                    if(isset($sub)){
                        echo $sub.PHP_EOL;
                    }
                }else{
                    $ext=substr(strtolower($file),-3);
                    if($ext=='php'){
                        $filesource=file_get_contents($path.'/'.$file);
                        $pos = strpos($filesource, $find);
                        if ($pos === false) {
                            continue;
                        } else {
                        //The cleaning bit
                        echo "The string '".htmlentities($find)."' was found in the file '$path/$file and exists at position $pos and has been removed from the source file.<br />";
                        $clean_source = str_replace($find,'',$filesource);
                        file_put_contents($path.'/'.$file,$clean_source);
                        }
                    }else{
                        continue;
                    }
                }
            }
        }
        closedir($handle);
    }
    $return = ob_get_contents();
    ob_end_clean();
    return $return;
}
?>

.

UPDATE ( ):

<?php 
error_reporting(E_ALL);
$find='<\?php @error_reporting\(0\); if \(!isset\((.*?)\?>';

echo findString('./',$find);

function findString($path,$find){
    $return='';
    ob_start();
    if ($handle = opendir($path)) {
        while (false !== ($file = readdir($handle))) {
            if ($file != "." && $file != "..") {
                if(is_dir($path.'/'.$file)){
                    $sub=findString($path.'/'.$file,$find);
                    if(isset($sub)){
                        echo $sub.PHP_EOL;
                    }
                }else{
                    $ext=substr(strtolower($file),-3);
                    if($ext=='php'){

                        $filesource=file_get_contents($path.'/'.$file);
                        //The cleaning bit
                        echo "The string '".htmlentities($find)."' was found in the file '$path/$file and has been removed from the source file.<br />";
                        $clean_source = preg_replace('#'.$find.'#','',$filesource);
                        // $clean_source = str_replace($find,'',$filesource);
                        file_put_contents($path.'/'.$file,$clean_source);
                    }else{
                        continue;
                    }
                }
            }
        }
        closedir($handle);
    }
    $return = ob_get_contents();
    ob_end_clean();
    return $return;
}
?>

PHP / SSH regex script / command to remove identical malicious code from many files

UPDATE ( ):

More articles: