Skip to content

Instantly share code, notes, and snippets.

@SpartakusMd
Last active August 29, 2015 14:23
Show Gist options
  • Save SpartakusMd/9ccff790c993a24e4ef9 to your computer and use it in GitHub Desktop.
Save SpartakusMd/9ccff790c993a24e4ef9 to your computer and use it in GitHub Desktop.
PHP script to remove one line virus attacks
<?php
/**
* Usage:
* php rm-attack.php [pattern] [directory]
*
* php rm-attack.php '<?php $ctddbnvbtj' .
*
* At the end, a report file './report.log' will be generated with the list of files that were modified
*/
if(!isset($argv[1])) {
die("Pattern not specified!" . PHP_EOL);
}
if(!isset($argv[2])) {
die('Dirrectory not specified!' . PHP_EOL);
}
$pattern = $argv[1];
$dossier = $argv[2];
echo 'Searching directory "' . $dossier . '" for the pattern "' . $pattern . '" !' . PHP_EOL;
exec("grep -Rl '" . $pattern . "' " . $dossier, $o);
echo 'Found ' . count($o) . ' matching files!';
if(count($o)) {
exec('pwd', $pwd);
$report_file = $pwd . '/report.log';
$report_ptr = fopen($report_file, "r");
for($i=0 ; $i<count($o) ; $i++)
{
$fic=$o[$i];
if (file_exists($fic)) {
echo "\n" . $fic;
// Remplacer par les balises php qui se suivent par les balises separees par un saut de ligne
$prep='';
// Ouverture du fichier
$ptr = fopen($fic, "r");
$contenu = fread($ptr, filesize($fic));
fclose($ptr);
// PHP_EOL contient le saut a la ligne utilise sur le serveur (\n linux, \r\n windows ou \r Macintosh
// Recuperer la premiere ligne
$contenu = explode(PHP_EOL, $contenu);
$prep=$contenu[0];
if (strrpos($prep,'?>')!==false) {
$prep=substr($prep,strpos($prep,'?>')+2);
fwrite($ptr, 'Processed: ' . $fic . PHP_EOL);
}
else {
$prep='';
echo "\n ************ Pas de ?> dans : " . $fic . "***************";
fwrite($ptr, 'No ?> found in: ' . $fic . PHP_EOL);
}
// On supprime la ligne
unset($contenu[0]);
// Re-index
$contenu = array_values($contenu);
// Puis on reconstruit le tout et on l'ecrit
$contenu = implode(PHP_EOL, $contenu);
$contenu = $prep."\n".$contenu;
$ptr = fopen($fic, "w");
fwrite($ptr, $contenu);
fclose($ptr);
}
else {
echo "\n ************ Fichier introuvable : " .$fic . "***************";
}
}
fclose($report_ptr);
}
echo "\n";
?>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment