How can I search and replace all files recursively to remove some rogue code injected into php files on a wordpress installation?

1 Views

How can I search and replace all files recursively to remove some rogue code injected into php files on a wordpress installation? The hacker added some code (below) to ALL of the .php files in my wordpress installation, and it happens fairly often to many sites, and I spend hours manually removing the code.

Today I tried a number of techniques I found online, but had no luck due to the long code snippet and the many special characters in it that mess up the delimiters. I tried using different delimiters with perl:

Read More
perl -p -i -e 's/rogue_code//g' *

to 

perl -p -i -e 's{rogue_code}{}g' *

and tried using backslashes to escape the slashes in the code, but nothing seems to work. I’m working on a shared server, so I don’t have full access to all the directories outside my own.

Thanks a lot…here’s the code: 

< ?php /**/ eval(base64_decode("aWYoZnVuY3
... snip tons of this ...
sgIH1lbHNleyAgICB9ICB9"));? >
Post Views: 1

Related posts

Leave a Reply

3 comments

  1. Without having a chance to poke around the files myself, it’s hard to be sure; but it sounds like you need:

    find -name '*.php' -exec perl -i -pe 's{<?php /**/ eval(base64_decode("[^"]+"));?>}{}g' '{}' ';'

    (That said, I agree with the commenters above that trying to undo the damage, piecemeal, after it happens is not the best strategy.)

  2. and it happens fairly often to many sites, and I spend hours manually
    removing the code….

    Sounds like you need to do a better job of cleaning the hack or change hosts. Replace all WP core files and foldere, all plugins, and then all you have to do is search theme files and wp-config.php for the injected scripts.

    See How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress and Hardening WordPress « WordPress Codex and Recommended WordPress Web Hosting

  3. I have the same problem (Dreamhost?) and first run this clean.pl script:

    #!/usr/bin/perl
$file0 =$ARGV[0];
open F0,$file0 or die "error opening $file0 : $!";
$t = <F0>;
$hacked = 0;
if($t =~ s#.*base64_decode.*?;?>##) {
    $hacked=1;
}
print "# $file0: " . ($hacked ? "HACKED" : "CLEAN") . "n";
if(! $hacked) {
        close F0;
        exit 0;
}

$file1 = $file0 . ".clean";
open F1,">$file1 " or die "error opening $file1 for write : $!";
print F1 $t;
while(<F0>) {
 print F1;
}
close F0;
close F1;
print "mv -f $file0 $file0.bakn"; #comment this if you don't want backup files.
print "mv -f $file1 $file0n";

    with find . -name '*.php' -exec perl clean.pl '{}' ; > cleanfiles.sh
    and then I run . cleanfiles.sh

    I also found that there were other differently infected files (“boostrap” infecters, those which triggered the other infection), which instead of the base64_decode call had some hex-escaped command… To detect them, this suspicious_php.sh :

    #!/bin/sh
#  prints filename if first 2 lines has more than 5000 bytes
file=$1
bytes=`head -n 2 $file | wc --bytes `
if (( bytes > 5000 ))
then
  echo $file
fi

    And then: find . -name '*.php' -type f -exec ./suspicious_php.sh '{}' ;

    Of course, all this is not foolproof at all.