pforret/clean_trojan_php.sh

## clean_trojan_php.sh
#!/bin/bash
# updated in 2020 because my bash skills were not that sophisticated in 2012
LIST=/tmp/LIST.TROJANS.$(date '+%Y%m%d').txt
PATT="eval(base64_decode"
REGEX="eval\(base64_decode"

if [[ ! -s "$LIST" ]] ; then
  # find all infected php files and put them in $LIST file
  grep -l -R --include=*.php "$PATT" * > "$LIST"
fi
wc -l "$LIST"

for INPUT in `cat $LIST` ; do
  TEMP="$INPUT.tmp"
  BAD="$INPUT.hacked"
  < "$INPUT" awk 'NR == 1 { gsub(/^<\?php.*><\?php/,"<?php"); print $0 } NR > 1 {print $0}' > "$TEMP"
  mv $INPUT $BAD && mv $TEMP $INPUT
done
	#!/bin/bash
	# updated in 2020 because my bash skills were not that sophisticated in 2012
	LIST=/tmp/LIST.TROJANS.$(date '+%Y%m%d').txt
	PATT="eval(base64_decode"
	REGEX="eval\(base64_decode"

	if [[ ! -s "$LIST" ]] ; then
	# find all infected php files and put them in $LIST file
	grep -l -R --include=.php "$PATT" > "$LIST"
	fi
	wc -l "$LIST"

	for INPUT in `cat $LIST` ; do
	TEMP="$INPUT.tmp"
	BAD="$INPUT.hacked"
	< "$INPUT" awk 'NR == 1 { gsub(/^<\?php.*><\?php/,"<?php"); print $0 } NR > 1 {print $0}' > "$TEMP"
	mv $INPUT $BAD && mv $TEMP $INPUT
	done