1

This was addressed briefly here: Removing a string in a PHP file with Start and End but I'm looking for a solution to the same code. The first line of every PHP file on the server begins with <?php if(!isset($GLOBALS[ and ends with -1; ?>. and in the middle is a long string of code that varies from file to file.

I'm trying to come up with a script to remove this line from all files. I'm running into the same wall as the guy in the previous post.

Using:

sed -e '1 s/^<\?php if(!isset($GLOBALS\[.*-1; \?>//' *.php

in a UNIX environment prints the PHP file without the code, but does not save it. What am I missing?

Community
  • 1
  • 1
chrislovessushi
  • 103
  • 10
  • 6
    Blow away your server, go back to bare metal, check out a fresh copy from your version control system. – Brad Oct 09 '14 at 18:11
  • 1
    sed without any config= outputs to stdout; sed with -i rewrites the file – Dimitri Oct 09 '14 at 18:14
  • How did these "malicious" lines get in your code? – Mike Oct 09 '14 at 18:14
  • Mike, a client of mine had an extremely old version of Wordpress installed on his hosting account that was not the primary site on the account. The primary site is secure and the old site has been removed, now to clean up the mess. – chrislovessushi Oct 09 '14 at 18:16
  • also, `-i` offers a suffix option which will create a backup of the file. – Jonathan Kuhn Oct 09 '14 at 18:16
  • Brad, thanks for all of your help. – chrislovessushi Oct 09 '14 at 18:17
  • @chrislovessushi Installing an old version of Wordpress doesn't exactly fall under the definition of ["malicious"](http://www.merriam-webster.com/dictionary/malicious). – Mike Oct 09 '14 at 18:19
  • When someone exploits an outdated piece of software to insert a line of code into every file on a web server, you wouldn't consider that malicious? – chrislovessushi Oct 09 '14 at 18:21
  • @chrislovessushi Yes, I would, but you didn't mention that. sed is not the correct tool to fix a hacked site. Restore a backup or do a reinstall. Otherwise, you would need to go through the entire code base line by line. – Mike Oct 09 '14 at 18:23
  • See http://stackoverflow.com/questions/2970/my-website-got-hacked-what-should-i-do – Mike Oct 09 '14 at 18:27
  • Mike, so you're saying that its impossible to remove this line from each PHP file on the server? – chrislovessushi Oct 09 '14 at 18:27
  • @chrislovessushi No, you misunderstood me. What I'm saying is how can you guarantee that this was the *only* thing that changed in the file? You can't. If a hacker can write to your files, he's not necessarily going to stop with simply inserting a one liner at the top of every file. What if there is something else that was written, like a spam bot that you don't find out about it until your server has sent 20 million spam emails? – Mike Oct 09 '14 at 18:33
  • Mike, what if monkeys fly out of my butt? If simply reinstalling was an option then I wouldn't be here asking for help. There are a lot of files that need to be salvaged but far too many for me to edit by hand. I feel confident that the server is secure now and I would like help with writing a simple script to remove this line from each file. If you're here to tell me that isn't possible then, thank you, but if you're just here for the sake of posting comments then please stop de-railing the issue. – chrislovessushi Oct 09 '14 at 18:38
  • possible duplicate of [Removing an injection using regex](http://stackoverflow.com/questions/26013782/removing-an-injection-using-regex) – tripleee Sep 10 '15 at 17:39
  • Possible duplicate of [How to get rid of eval-base64\_decode like PHP virus files?](http://stackoverflow.com/questions/5922762/how-to-get-rid-of-eval-base64-decode-like-php-virus-files) – kenorb May 27 '16 at 15:08

3 Answers3

2

I wrote a script to clean all files in all directories and sub directories. I recommend you backup 1st. This is done from inside the shell

First create a file called fixmacro in your home directory and add the following 2 lines to it

:1/ua=strtolower/s/^.*<?php$/<?php/
:wq

Next from the directory where the infected files are or you can run it from your home directory run the following command.

find . -name *.php -exec vi -s ~/fixmacro {} \;

This will go to every php look for the infected lines and remove them. If these are no infected files it resaves the file with no changes/

carlodurso
  • 2,886
  • 4
  • 24
  • 37
Paul Rigney
  • 21
  • 1
  • The above results in error `find: paths must precede expression Usage: find [-H] [-L] [-P] [path...] [expression]` the correct usage would be `find . -name "*.php" -exec vi -s ~/fixmacro {} \;`. – Stacked Mar 20 '15 at 10:57
1

Use sed's -i option, so that sed modifies the PHP files.

-i[SUFFIX], --in-place[=SUFFIX]
edit files in place (makes backup if extension supplied)

The [SUFFIX] part is optional but some sed implementations require you to provide it.

In your case, you could try this:

sed -i.bak 's/^<\?php if(!isset($GLOBALS\[.*-1; \?>//' *.php

Read man sed for more info.

kenorb
  • 155,785
  • 88
  • 678
  • 743
gmarintes
  • 1,288
  • 12
  • 16
  • Using sed -i "s/^<\?php if(!isset($GLOBALS\[.*-1; \?>//" *.php gets me: "command i expects \ followed by text" I'm having trouble finding any examples of the use of -i or the proper syntax. – chrislovessushi Oct 09 '14 at 18:34
0

Got it working, thanks for the advice on using -i. The working command is: sed -i.bak 's/^<\?php if(!isset($GLOBALS\[.*-1; \?>//' *.php

chrislovessushi
  • 103
  • 10