Shell Programming and Scripting

Hi,

I have a linux server that was hacked and I have a bunch of files that sporadically contain the following lines through out the file:

Code:

<?php        eval(base64_decode("Xxxxxxxxxxxxxx/xxxxxxxx"));

I did't put the exact lines of the file in this post. The "Xxxx" are random letters/numbers.

I'm trying to use sed but I think the combination of the ", ( , ) and ; are throwing me off.
I would like to write a script to filter this line out of the files without messing up anything else with in the files.

Thanks for you help

Either sed or grep -v will work, something similar to the following:

Code:

$ cat file
<?php eval(base64_decode("Xxxxxxxxxxxxxx/xxxxxxxx"));

Code:

$ grep  '<.php *eval *(base64_decode *(".*"));' file
<?php eval(base64_decode("Xxxxxxxxxxxxxx/xxxxxxxx"));

Code:

$ grep -v '<.php *eval *(base64_decode *(".*"));' file

Try this sed command:

Code:

$ cat t
line 1
<?php eval(base64_decode("X12345ajiunkwP/e3IU47Om"));
line 3

$ sed '/^<?php eval(base64_decode("[a-zA-Z0-9]\{14\}\/[a-zA-Z0-9]\{8\}"));$/d' t
line 1
line 3

Spacebar,

I tried your sed command and it's close.

I modified as follows to work:

Code:

sed '/<?php *.*eval(base64_decode("[a-zA-Z0-9]\{723\}\/[a-zA-Z0-9]\{424\}"));$/d' filename > newfile

I added the *.* because there are 64 spaces between the <?php and the eval.

This sed command removes the first line in the file that this string exists but not the subsequent lines. Here is a short example of how the eval is embedded in the file:

Code:

<link rel="shortcut icon" href="<?php         eval(base64_decode("DQp...

If you need more information on it let me know.

Since you know the exact number of spaces between "<?php and the eval" then try this and the only reason a line would not be deleted is because it does not match the pattern:

Code:

sed '/<?php[ ]\{64\}eval(base64_decode("[a-zA-Z0-9]\{723\}\/[a-zA-Z0-9]\{424\}"));$/d' filename > newfile

I did notice that instead of 64 spaces it is actually

<?php[tab][40spaces[tab][tab]eval(base64_decode....

How can I match the [tab] with sed. I tried \t and a physical tab key but that didn't work?

Also, I copied different sections of the file into different files eliminating any href etc and ran a diff on them and the patterns seem to match.

I agree the sed statement should remove the pattern as long as it matches.

Thank you for your help

In a terminal or most editors, typing ^v<tab> (control-v followed by the tab key) will insert a literal tab. That said, if you want to match either a tab or a space, you can use [[:blank:]].

Regards,
Alister