-1

Website got hacked and it puts code at top line of every php page before the opening <?php tag, i want to use sed to remove it from all files with one command.

It starts with

<?php if(!isset($GLOBALS["\x61\156\x75\156\x61"]))

and ends with 

-1; ?><?php

I think this is caused by old version of mailpoet (wysija) wordpress plugin. http://blog.sucuri.net/2014/10/wordpress-websites-continue-to-get-hacked-via-mailpoet-plugin-vulnerability.html

I tried the answers of these two, but solutions isnt removing these lines for me. I would appreciate any and all help as im no expert with unix commands.

Mass removal of malicious line from php files

Removing a string in a PHP file with Start and End

///EDIT

Sample input i used, supposed to remove the line from file, but file stays same, doesnt print anything to terminal

sed -i '1 s/^<\?php if(!isset($GLOBALS\[.*-1; \?>//' *.php

Once i have this command working i want to combine it with find command to run on whole server

Community
  • 1
  • 1
grasshopper
  • 1,381
  • 4
  • 19
  • 36

2 Answers2

2

You could try this GNU sed command,

sed -r '1s/^<\?php if\(!isset\(\$GLOBALS\[.*-1; \?>//' *.php

Add inline edit option i to save the changes made.

sed -ri '1s/^<\?php if\(!isset\(\$GLOBALS\[.*-1; \?>//' *.php
Avinash Raj
  • 172,303
  • 28
  • 230
  • 274
1
find . -name "*.php" -print0 | xargs -0 sed -ri '1s/^<\?php if\(!isset\(\$GLOBALS\[.*-1; \?>//' *.php
Artjom B.
  • 61,146
  • 24
  • 125
  • 222
Sergio Falcon
  • 11
  • 1
  • 1
    Why did you create a second account and answered the question [*again*](http://stackoverflow.com/a/31742149)? – Artjom B. Jul 31 '15 at 10:52