1

How can I search and replace all files recursively to remove some rogue code injected into php files on a wordpress installation? The hacker added some code (below) to ALL of the .php files in my wordpress installation, and it happens fairly often to many sites, and I spend hours manually removing the code.

Today I tried a number of techniques I found online, but had no luck due to the long code snippet and the many special characters in it that mess up the delimiters. I tried using different delimiters with perl:

perl -p -i -e 's/rogue_code//g' *

to

perl -p -i -e 's{rogue_code}{}g' *

and tried using backslashes to escape the slashes in the code, but nothing seems to work. I'm working on a shared server, so I don't have full access to all the directories outside my own.

Thanks a lot...here's the code:

< ?php /**/ eval(base64_decode("aWYoZnVuY3
... snip tons of this ...
sgIH1lbHNleyAgICB9ICB9"));? >
Charles
  • 50,943
  • 13
  • 104
  • 142
libbynotzoey
  • 481
  • 1
  • 4
  • 7
  • 3
    You have backups, right? Otherwise, how can you be sure that you'll find all of the malicious code to remove? – ziesemer Mar 15 '12 at 01:48
  • 2
    If this _happens fairly often_, that means you have configured the software incorrectly. [I gave some guidelines on how to set both Unix permissions and Mandatory Access Control permissions on websites to another Stacker](http://stackoverflow.com/a/6338067/377270) that you might wish to study from before bringing compromised sites back online. – sarnold Mar 15 '12 at 01:51

3 Answers3

1

Without having a chance to poke around the files myself, it's hard to be sure; but it sounds like you need:

find -name '*.php' -exec perl -i -pe 's{<\?php /\*\*/ eval\(base64_decode\("[^"]+"\)\);\?>}{}g' '{}' ';'

(That said, I agree with the commenters above that trying to undo the damage, piecemeal, after it happens is not the best strategy.)

ruakh
  • 175,680
  • 26
  • 273
  • 307
1

and it happens fairly often to many sites, and I spend hours manually removing the code....

Sounds like you need to do a better job of cleaning the hack or change hosts. Replace all WP core files and foldere, all plugins, and then all you have to do is search theme files and wp-config.php for the injected scripts.

See How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress and Hardening WordPress « WordPress Codex and Recommended WordPress Web Hosting

markratledge
  • 17,322
  • 12
  • 60
  • 106
0

I have the same problem (Dreamhost?) and first run this clean.pl script:

#!/usr/bin/perl
$file0 =$ARGV[0];
open F0,$file0 or die "error opening $file0 : $!";
$t = <F0>;
$hacked = 0;
if($t =~ s#.*base64_decode.*?;\?>##) {
    $hacked=1;
}
print "# $file0: " . ($hacked ? "HACKED" : "CLEAN") . "\n";
if(! $hacked) {
        close F0;
        exit 0;
}

$file1 = $file0 . ".clean";
open F1,">$file1 " or die "error opening $file1 for write : $!";
print F1 $t;
while(<F0>) {
 print F1;
}
close F0;
close F1;
print "mv -f $file0 $file0.bak\n"; #comment this if you don't want backup files.
print "mv -f $file1 $file0\n";

with find . -name '*.php' -exec perl clean.pl '{}' \; > cleanfiles.sh and then I run . cleanfiles.sh

I also found that there were other differently infected files ("boostrap" infecters, those which triggered the other infection), which instead of the base64_decode call had some hex-escaped command... To detect them, this suspicious_php.sh :

#!/bin/sh
#  prints filename if first 2 lines has more than 5000 bytes
file=$1
bytes=`head -n 2 $file | wc --bytes `
if (( bytes > 5000 ))
then
  echo $file
fi

And then: find . -name '*.php' -type f -exec ./suspicious_php.sh '{}' \;

Of course, all this is not foolproof at all.

leonbloy
  • 73,180
  • 20
  • 142
  • 190