3

a website of mine is hacked. In every php file a line of code is added. I wont post the complete code here, but it starts with: 

<?php if(!isset($GLOBALS["\x61\156\x75\156\x61"])) { $ua=strtolower($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]); if ((! strstr($ua,"\x6d\163\x69\145")) and (! strstr($ua,"\x72\166\x3a\61\x31"))) $GLOBALS["\x61\156\x75\156\x61"]=1; } ?><?php $yudqgxmnlr =

and ends with:

 $gzagexgpdc=substr($yudqgxmnlr,(34129-24016),(83-71)); $gzagexgpdc($xarchajboj, $ukumkvvgai, NULL); $gzagexgpdc=$ukumkvvgai; $gzagexgpdc=(759-638); $yudqgxmnlr=$gzagexgpdc-1; ?>

I've tried finding and replacing with some ssh commands, but it doesnt seem to work. (Read: my lack of ssh knowledge gets in the way).

This is my latest atempt:

sed -i '<?php if(!isset*gzagexgpdc-1; ?>//g’ *.php

Can anyone help me?

Bram_Boterham
  • 148
  • 10
  • 4
    possible duplicate of [Removing an injection using regex](http://stackoverflow.com/questions/26013782/removing-an-injection-using-regex) – Kalanidhi Feb 04 '15 at 09:43
  • 2
    Just re-deploy the site. – choroba Feb 04 '15 at 09:58
  • I wouldn't do this remotely. Download all the files, back it up, do a S&R in your editor, then send it back to the remote site. – halfer Feb 04 '15 at 10:11
  • 2
    Also, find out _how_ it was hacked. If there is a sec hole, it may happen again. – halfer Feb 04 '15 at 10:12
  • 1
    Possible duplicate of [Best methods to clean up a hacked site with no clean version available?](http://stackoverflow.com/questions/6337976/best-methods-to-clean-up-a-hacked-site-with-no-clean-version-available) – tripleee Jul 22 '16 at 19:32
  • Does this answer your question? [Hacked Site - SSH to remove a large body of javascript from 200+ files](https://stackoverflow.com/questions/55407263/hacked-site-ssh-to-remove-a-large-body-of-javascript-from-200-files) – tripleee Nov 05 '20 at 09:48

3 Answers3

1

You can try this : https://github.com/daniyalahmadk/RMCI

Just need to put that code in box and hit submit, it will search code from files and remove them all once.

daniyalahmad
  • 3,513
  • 8
  • 29
  • 52
0

You need to add s/ at the start.

sed 's/<?php if(\!isset.*gzagexgpdc-1; ?>//g' *.php

OR

sed -r 's/<\?php if\(!isset.*gzagexgpdc-1; \?>//g' *.php

Add -i parameter to save the changes made.

Avinash Raj
  • 172,303
  • 28
  • 230
  • 274
0

This should work.

find . -name "*.php" -print0 | xargs -0 sed -ri '1s/^<\?php if\(!isset\(\$GLOBALS\[.*-1; \?>//' *.php
Madhukarah
  • 89
  • 1
  • 5