2

A hacker got into a web server and added this string (removed some characters for security purposes and added line breaks for readability) in all index.php files:

<?php 
eval(gzuncompress(base64_decode('eF5Tcffxd3L0CY5WjzcyNDGGMV4+1dSwqSqzU0LQGAJCPCMM='))); 
eval(gzuncompress(base64_decode('eF5LK81LLsnMzKx+JjNW0rgUAqDUUxQ==')));  
eval(gzuncompress(base64_decode('eF6VlMmy/3sMxOez/iJOojHFT0Ig/8jlTymmN/I='))); 
?>

I have tried using the sed command to remove it (replacing it with nothing) but it is nearly impossible to define a working regular expression with such a huge string.

Is there another way, maybe reading the string from a .txt file?

1 Answer 1

1

Assumung you don't use these tricks anywhere, why not this (appropriately executed, using sed -i and maybe find -exec ..., which was not part of your question, was it?)

$ sed 's/eval(gzuncompress(base64_decode(.*)));//' << EOF                     
> <?php eval(gzuncompress(base64_decode('eF5Tcffxd3L0CY5WjzcyNDGGMV4+1dSwqSqzU0LQGAJCPCMM=')));eval(gzuncompress(base64_decode('eF5LK81LLsnMzKx+JjNW0rgUAqDUUxQ=='))); eval(gzuncompress(base64_decode('eF6VlMmy/3sMxOez/iJOojHFT0Ig/8jlTymmN/I=')));?>
> EOF
<?php  ?>

...you can afterwards deal with the empty <?php ?>s (which don't hurt much, do they?).

Edit removed line breaks to make sure it fits to the situation described.

Edit2 You'd be better off just replacing everything with a (known good) backup, probably, if you've got one.

Edit3 I just caught the "all index.php files" bit. You can thus try something like

find /path/to/wwwroot -name "index.php" -exec sed -i regex {} \;
1
  • I have used some backups but for some files I had to do it this way. Thanks sr_! It worked great. Commented Nov 15, 2011 at 11:25

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.