0

I have an old server, all php files are compromised by a malicious code on the first line of all files. I would replace the first line by a simple line that contains <?php

could you advise me a linux command for doing this ?

thank you

ceejayoz
  • 176,543
  • 40
  • 303
  • 368
rudak
  • 379
  • 3
  • 16
  • 1
    If your server is compromised this won't make it safe. http://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server – ceejayoz Jul 13 '16 at 19:54
  • Possible duplicate of [What's the opposite of head? I want all but the first N lines of a file](http://stackoverflow.com/questions/3507999/whats-the-opposite-of-head-i-want-all-but-the-first-n-lines-of-a-file) – Two-Bit Alchemist Jul 13 '16 at 19:54
  • Sorry disregard dupe. I thought maybe it would help b/c you could just get rid of the first line but I forgot they have to start with ` – Two-Bit Alchemist Jul 13 '16 at 19:55
  • these are old site, once cleaned, with appropriate permissions will be not bad – rudak Jul 13 '16 at 19:56
  • Why in the world would you want to change the first line to ` – Wayne Werner Jul 13 '16 at 20:31
  • read above : all php files are compromised by a malicious code on the first line of all files. – rudak Jul 13 '16 at 21:09

3 Answers3

1

To check

grep '\$efidomat.*\$otunim);'   *.php

To delete in a directory

sed -i 's/\$efidomat.*\$otunim);//'   *.php

To delete in directory tree

find . -type f -exec  sed -i 's/\$efidomat.*\$otunim);

Parameters

$efidomat - the beginning of "my" malicious code.

$otunim - the end of "my" malicious code.

Jonathan Lam
  • 16,831
  • 17
  • 68
  • 94
Vedavrat
  • 111
  • 2
0

Here is a small python script that will work its way through all *.php files in its folder and create a modified version in a subfolder called new_files. Don't forget to create that subfolder before running the script!

    import glob

    for f in glob.glob("*.php"):
        f_in=open(f,"r")
        f_out=open("new_files/"+f,"w")
        f_out.write("<?php\n")
        for l in f_in.readlines()[1:]:
            f_out.write(l)
        f_out.close()
        f_in.close()

I know it's not a linux command but if you create a file called "script.py" and install python the linux command would be "python script.py". Haha just kidding, I hope it is still helpful ;)

Domme
  • 141
  • 7
0

I write this :

    grep 'create_";global' -rl | xargs sed '1 s/^.*$/<?php/g' -i

and I think it doing the job

rudak
  • 379
  • 3
  • 16