UNIX for Dummies Questions & Answers

last night our server was hit with an attack that infected every php file on the server and inserted the following code

Code:

/*god_mode_on*/eval(base64_decode

with a ton of other characters after.

As it infected every php file i have been trying to clean it using a
sed command to go through and remove the code from each file.

I have been trying to run

Code:

find . -name "*.php" -type f -exec sed -i '/eval(base64_decode(/d' {} \;

This is workng except it is also removing the <?php from the start
of files. Anyone know how to fix this or how I can run sed again to
insert <php? back in at the start. Preference would be to not lose
it in the first place though.


I have tried running sed a second time against these files with this command

Code:

sed -i '1s/^/<php?\^J/' *.php

And that is inserting the <php? however the ctrlJ is not acting as a line return and is actually inserting <php?/^j at the start of each file

Any help appreciate as I have 10K files to fix

Hi,

You can insert new line with the help of

Code:

\n

in sed if you use other than sun solaris system.

Code:

echo "one two three" | sed 's/ /\n/g'

I am replacing space( ) with new line(\n).

Output:

Code:

one
two
three

Cheers,
Ranga

I hate to say it but it is nearly impossible to fully cleanup from these types of attacks if the site consists of more than a few PHP files. Why not restore the site from a backup?