Eval base64 grep find hacks

By.

min read

My profile

Share this:

Find

Command to list all infected files:
grep -lr –include=*.php “eval(base64_decode” /path/to/webroot
grep -lr –include=*.php “eval” .
grep -lr –include=*.php “base64” .

Find double <?php on first line of file “php”
head -n1 php | grep ‘?php.*?php’

multiple lines
find -maxdepth 3 -name ‘*.php’ -exec grep -c ‘<?php’ {} + | grep ‘:2$’

include in comment /**
[code:1:6f22566864]grep -Eiv ‘(*){3,}’ wp-infected-file | grep -Ei ‘(include ){1,}'[/code:1:6f22566864]

Command to remove malicious code:
grep -lr –include=*.php “eval(base64_decode” /path/to/webroot | xargs sed -i.bak ‘s/<?php eval(base64_decode[^;]*;/<?phpn/g’

grep -lr –include=*.php “eval(base64_decode” /path/to/webroot | xargs sed -i.bak ‘/eval(base64_decode*/d’

Trying to avoid re-appearance of this code injection
find /path/to/webroot -name “wp-phpmyadmin” -type d | xargs rm -rf

Missing <?php tag in the beginning:
find /var/www/ -name “index.php” | grep “/htdocs/index.php” | xargs grep -L “<?php” | xargs sed -i “1s/^/<?php n/”

Extra Newlines at the top!
find . -name ‘*.php’ -exec sed -i -e :a -e ‘/^n*$/{$d;N;ba’ -e ‘}’ ‘{}’ ;

find -name ‘*_input*’ | xargs rm -rf

source:
https://8dweb.com/go/knowledgebase/113/Malicous-and-Suspicious-Files—Finding-and-removing-evalbase64decode.html

Share this:

Leave a Reply

Your email address will not be published. Required fields are marked *