Find
Command to list all infected files:
grep -lr –include=*.php “eval(base64_decode” /path/to/webroot
grep -lr –include=*.php “eval” .
grep -lr –include=*.php “base64” .
Find double <?php on first line of file “php”
head -n1 php | grep ‘?php.*?php’
multiple lines
find -maxdepth 3 -name ‘*.php’ -exec grep -c ‘<?php’ {} + | grep ‘:2$’
include in comment /**
[code:1:6f22566864]grep -Eiv ‘(*){3,}’ wp-infected-file | grep -Ei ‘(include ){1,}'[/code:1:6f22566864]
Command to remove malicious code:
grep -lr –include=*.php “eval(base64_decode” /path/to/webroot | xargs sed -i.bak ‘s/<?php eval(base64_decode[^;]*;/<?phpn/g’
grep -lr –include=*.php “eval(base64_decode” /path/to/webroot | xargs sed -i.bak ‘/eval(base64_decode*/d’
Trying to avoid re-appearance of this code injection
find /path/to/webroot -name “wp-phpmyadmin” -type d | xargs rm -rf
Missing <?php tag in the beginning:
find /var/www/ -name “index.php” | grep “/htdocs/index.php” | xargs grep -L “<?php” | xargs sed -i “1s/^/<?php n/”
Extra Newlines at the top!
find . -name ‘*.php’ -exec sed -i -e :a -e ‘/^n*$/{$d;N;ba’ -e ‘}’ ‘{}’ ;
find -name ‘*_input*’ | xargs rm -rf
source:
https://8dweb.com/go/knowledgebase/113/Malicous-and-Suspicious-Files—Finding-and-removing-evalbase64decode.html
Leave a Reply