Login or Register to Ask a Question and Join Our Community


Shell Programming and Scripting

Script to delete a rogue header added by hacker

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Top Forums Shell Programming and Scripting Script to delete a rogue header added by hacker
# 1  
Old 03-06-2012
Script to delete a rogue header added by hacker
Hi,

Someone hacked my site(s) and appended a header to every .php file in every domain. With several Word Press sites, you can imagine how many files that is! I hand edited some, but it is just a huge task to edit the thousands of files.

I was a long time Linux scripter, but have not done it in years. I need help!

The offending code is nicely set inside php tags. So, if I can delete it either by start characters "<?php" to the first "?>" or more simply, delete up to and including the first "?>" or even the first ">", that would do it.

I have tried a few things like sed and awk, but sed seems to work on lines and not a character by character and this code does not have a newline after it...

I can find the files with grep -l base64_decode *.php or something along those lines.

I hope I am not being a bother. I am pretty tired after working on this for hours. I know someone can write this off the top of their head.

All the files look like this:

<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCc.....gfSAgb2Jfc3RhcnQoJ21yb2JoJyk7ICB9ICB 9"));?><? real code for file.....

And there are no other ">" until that one that marks the end of the virus code...

Much thanks!
-Swank
# 2  
Old 03-06-2012
Restore the site from a backup, god knows how many other files have been changed/replaced with trojans.

You can never trust your server again after a rootkit or whatever has been thru it.
# 3  
Old 03-06-2012
Ugh. I think you are right. After cleaning a batch, they all got reinfected. No idea where the crap is coming from and not sure how to find out....

8+ domains hosed! No idea when the last full back-up was...
# 4  
Old 03-06-2012
If you really need to clean up these php files try this awk script:

Code:
awk '
    NR==1&&/^<\?php .... eval\(base64_decode/ {K++}
    K&&/?>/ {sub(/^[^>]*?>/,"");K=0}!K' file

---------- Post updated at 01:25 PM ---------- Previous update was at 01:21 PM ----------

You could tgz up all your .php scripts and clean them on another server using something like the above, at lease you wont lose any code then.
# 5  
Old 03-07-2012
Alternatively perhaps try this code as well:
Code:
awk '!/^\?php.*base64_decode/' RS=\< ORS=\< infile

or otherwise:
Code:
awk -F\> '/^\?php.*base64_decode/{$1=x}1' OFS= RS=\< ORS=\< infile

Last edited by Scrutinizer; 03-07-2012 at 01:44 AM..
# 6  
Old 03-07-2012
Quote:
Originally Posted by SwankPad
Ugh. I think you are right. After cleaning a batch, they all got reinfected. No idea where the crap is coming from and not sure how to find out
Ungrade to the latest Wordpress release. Remove as many addons as possible. Look under the Wordpress images directories. Remove any non-image files such as .doc, .php, etc. Any file with 3 numbers in it is suspicious and needs to be carefully checked. Also check all your .htaccess files. Check your permissions are correct on every file and directory.

Which hosting company are you with? There are a couple of major hosting companies who have this particular infection.
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Validation to be added in the shell script

I need help with one of my shell script. The script is working fine but i need to add two condition - i need to get rid of all the below ftp messages and need to have only ftp completed or failed message. example when i run the script i get below lines - Connected to xxxx 220 (vsFTPd... (1 Reply)
Discussion started by: chandraprakash
1 Replies

2. Shell Programming and Scripting

Shell script worked correctly until I added variable :(

Hi everyone, I have been using a shell script for the last 6 months to copy a database from a POS system, then analyse the database and print the current sales total. This has worked flawlessly, the only issue was that I had hard coded the IP address of the POS and occasionally I would need to... (23 Replies)
Discussion started by: gjws
23 Replies

3. Programming

Dynamically added text fields passed to PHP script

If I am posting this to the wrong section please move it somewhere it fits. I apologize if this is not the correct section. I have a site where I want to have form that in a "Visitor name" section to be able to add fieldets as needed. I think I have that worked out. So the below code is the... (4 Replies)
Discussion started by: GroveTuckey
4 Replies

4. UNIX and Linux Applications

Script to delete few rows from a file and then update header

HJKL1Name00014300010800000418828124201 L201207022012070228XAM 00000000031795404 001372339540000000000000000000000 COOLTV KEYA Zx00 xI-50352202553 00000000 00000000 G000000000000 00000000 ... (10 Replies)
Discussion started by: mirwasim
10 Replies

5. UNIX for Dummies Questions & Answers

Printing the contents of a file in a script with added chars

I have the contents of file1 1 2 3 4 5 6 7 8 9 i'm trying to figure out how to add chars to them so it would display as this, if it's possible 1 . 2 . 3 \ 4 . 5 . 6 \ 7 . 8 . 9 \ thanks! (1 Reply)
Discussion started by: austing5
1 Replies

6. UNIX for Dummies Questions & Answers

Email Script not working when added to cron[solved]

Hi I have written an email script in python which sends email to the given id. I have customized the script for generating space alert inside a shell script as shown below df -h /microfocus > /tmp/spacereport ## Filter the %usage to variable per per=$(awk '{if (NR==3){print $4}}'... (0 Replies)
Discussion started by: rakeshkumar
0 Replies

7. Shell Programming and Scripting

how to delete the older files other than the recently added 5 files

Number of files will get created in a folder automatically daily.. so i hav to delete the older files other than the recently added 5 files.. Could u help me through this..?? (5 Replies)
Discussion started by: shaal89
5 Replies

8. UNIX for Dummies Questions & Answers

Delete header row and reformat from tab delimited to fixed width

Hello gurus, I have a file in a tab delimited format and a header row. I need a code to delete the header in the file, and convert the file to a fixed width format, with all the columns aligned. Below is a sample of the file:... (4 Replies)
Discussion started by: chumsky
4 Replies

9. Shell Programming and Scripting

help to create script for added date to list users

hi my friends im asking for the possibility to creat a script in ubuntu for added date to list users for doing this : - search in debug connected user of all connected users - if a new user is connect for the first time to my server the script record the date of the connection and added it... (1 Reply)
Discussion started by: amzioujda
1 Replies

10. Shell Programming and Scripting

Cannot kill hacker process with my script

I want to kill a process of xterm that is run by hacker with my login name. So, I write a shell script to do my goal. I run 2 xterm and then I run my script on a first xterm. it should kill the process of a second xterm but it doesn't.Why? Here is my code : #!/bin/ksh myps=$(ps -f|grep... (7 Replies)
Discussion started by: thsecmaniac
7 Replies
Login or Register to Ask a Question