Top Poster
#1 ramon fincken 399
#2 Site admin 3
#3 Ber|Art 2
#4 braddmark 1
#5 accentmedia 1
#6 Xarzu 1
#7 pEcosespedex 1
#8 khadish 1
#9 moxxx 1
#10 nistelrock 1
Eval base64 grep find hacks



Rating : 3 / 5

 
Post new topic   Reply to topic    Ramonfincken.com Forum Index -> Bash, perl, python and CLI linux
Beta
Want to be notified by email when this topic gets a reply?  
View previous topic :: View next topic  
Author Message
ramon fincken
Site's programmer

Get a free globally recognized avatar
It's free!


Joined: 03 Aug 2007
Posts: 399
Location: A'dam/Diemen, The Netherlands

PostPosted: Sun Mar 29, 2015 7:53 am    Post subject: Eval base64 grep find hacks Reply with quote

Find

Command to list all infected files:
grep -lr --include=*.php "eval(base64_decode" /path/to/webroot
grep -lr --include=*.php "eval" .
grep -lr --include=*.php "base64" .

Find double <?php on first line of file "php"
head -n1 php | grep '?php.*?php'

multiple lines
find -maxdepth 3 -name '*.php' -exec grep -c '<?php' {} + | grep ':2$'

include in comment /**
Code:
grep -Eiv '(\*){3,}' wp-infected-file | grep -Ei '(include ){1,}'


Command to remove malicious code:
grep -lr --include=*.php "eval(base64_decode" /path/to/webroot | xargs sed -i.bak 's/<?php eval(base64_decode[^;]*;/<?php\n/g'

grep -lr --include=*.php "eval(base64_decode" /path/to/webroot | xargs sed -i.bak '/eval(base64_decode*/d'

Trying to avoid re-appearance of this code injection
find /path/to/webroot -name "wp-phpmyadmin" -type d | xargs rm -rf

Missing <?php tag in the beginning:
find /var/www/ -name "index.php" | grep "/htdocs/index.php" | xargs grep -L "<?php" | xargs sed -i "1s/^/<?php \n/"

Extra Newlines at the top!
find . -name '*.php' -exec sed -i -e :a -e '/^\n*$/{$d;N;ba' -e '}' '{}' \;

find -name '*_input*' | xargs rm -rf

source:
https://8dweb.com/go/knowledgebase/113/...ecode.html
Back to top
View user's profile Send private message Visit poster's website
Google adsense
Advertisement





PostPosted: Sun Mar 29, 2015 7:53 am    Post subject: Eval base64 grep find hacks

Advertisement
Back to top
GravityForms
Advertisement





PostPosted: Sun Mar 29, 2015 7:53 am    Post subject: Eval base64 grep find hacks

Advertisement
Gravity Forms Plugin for WordPress
Back to top
Post new topic   Reply to topic    Ramonfincken.com Forum Index -> Bash, perl, python and CLI linux All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
General forums
The world of freelance
Programming
Other projects
Poll
I love gifts

Yes goodies and presents! [3]
No but I love polls ! [1]

Related google ads