Skip to content

Instantly share code, notes, and snippets.

@frosit

frosit/infectedFiles.md

Created May 5, 2016 22:40
Show Gist options
  • Star 38 You must be signed in to star a gist
  • Fork 13 You must be signed in to fork a gist
  • Save frosit/ec600bf288235edb8352b528b53f66ed to your computer and use it in GitHub Desktop.
Save frosit/ec600bf288235edb8352b528b53f66ed to your computer and use it in GitHub Desktop.
Download ZIP
Some commands for finding and clearing infected PHP files
Raw
infectedFiles.md

Finding infected files with following bash commands

** Command to list all infected files:

  • grep -lr --include=*.php "eval(base64_decode" /path/to/webroot
  • grep -lr --include=*.php "eval" .
  • grep -lr --include=*.php "base64" .

Command to remove malicious code:

  • grep -lr --include=*.php "eval(base64_decode" /path/to/webroot | xargs sed -i.bak 's/<?php eval(base64_decode[^;]*;/<?php\n/g'

  • grep -lr --include=*.php "eval(base64_decode" /path/to/webroot | xargs sed -i.bak '/eval(base64_decode*/d'

Trying to avoid re-appearance of this code injection

  • find /path/to/webroot -name "wp-phpmyadmin" -type d | xargs rm -rf

Missing <?php tag in the beginning:

  • find /var/www/ -name "index.php" | grep "/htdocs/index.php" | xargs grep -L "<?php" | xargs sed -i "1s/^/<?php \n/"

Extra Newlines at the top!

  • find . -name '*.php' -exec sed -i -e :a -e '/^\n*$/{$d;N;ba' -e '}' '{}' \;

  • find -name '*_input*' | xargs rm -rf

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment