REMOVE “EVAL(BASE64_DECODE” USING LINUX COMMANDS FROM ALL PHP FILES ACROSS MULTIPLE WORDPRESS
2012-11-01 22:46
1211 查看
Yesterday, almost all installations on our test server had been infected by infamous “<?php eval(base64_decode(…)) ?>” code injection.
We have more than 600 demo sites on our test server and cleaning them using any WordPress plugin out there was simply out of the question! Can you imagine logging into each WordPress, installing plugin, then scanning/cleaning up WordPress… for 600+ WordPress sites?
Below is combination of Linux commands we used. Assuming you have logged into a Linux Shell and already have BACKUP of all files (including infected files) lets move ahead!
This is not necessary but its better to check some files manually to confirm if they have malicious code we are looking for. Also we can use this command after running cleanup command to crosscheck if cleanup is really successful.
Executing above will remove eval(*) codes. Above command will also generate a backup version of files it will modify. For example, if it removes code from index.php, you will find a new file index.php.bak in same directory with original content of index.php
Now after running above command, you still find some more infected files, then you need to adjust search and replace parameters in for “sed” part. You may also use following command for a “liberal” cleaning at the risk of breaking something. (in case you really break something, like I did, you can jump to “Troubleshooting” section below!)
If you remember, WordPress community faced this kind of issue because of WP-PhpMyAdmin plugin sometime back. In our case, we found some old WordPress demo sites were having that plugin installed.
To remove WP-PhpMyAdmin plugin form all WordPress sites on your server, execute following command:
Above is all we did to get rid of eval(base64_decode(*)) codes from all files on our test server. If this happens again on our server, I will update this post with added info.
Missing <?php tag in the beginning:
To add “<?php: tag in the beginning of index.php files, in case if you remove it accidentally use following command:
Don’t worry. If you already have a “<?php ” tag in the beginning, it won’t be added again.
Extra Newlines at the top!
If you find after cleanup, extra newlines at the top of your code, then use following command to remove trailing newlines. Extra newlines creates problem for blog feeds.
I hope you will find this stuff useful.
We have more than 600 demo sites on our test server and cleaning them using any WordPress plugin out there was simply out of the question! Can you imagine logging into each WordPress, installing plugin, then scanning/cleaning up WordPress… for 600+ WordPress sites?
Below is combination of Linux commands we used. Assuming you have logged into a Linux Shell and already have BACKUP of all files (including infected files) lets move ahead!
Command to list all infected files:
grep -lr --include=*.php "eval(base64_decode" /path/to/webroot
This is not necessary but its better to check some files manually to confirm if they have malicious code we are looking for. Also we can use this command after running cleanup command to crosscheck if cleanup is really successful.
Command to remove malicious code:
If above command gives you correct output, execute following command to perform actual cleaning:grep -lr --include=*.php "eval(base64_decode" /path/to/webroot | xargs sed -i.bak 's/<?php eval(base64_decode[^;]*;/<?php\n/g'
Executing above will remove eval(*) codes. Above command will also generate a backup version of files it will modify. For example, if it removes code from index.php, you will find a new file index.php.bak in same directory with original content of index.php
Now after running above command, you still find some more infected files, then you need to adjust search and replace parameters in for “sed” part. You may also use following command for a “liberal” cleaning at the risk of breaking something. (in case you really break something, like I did, you can jump to “Troubleshooting” section below!)
grep -lr --include=*.php "eval(base64_decode" /path/to/webroot | xargs sed -i.bak '/eval(base64_decode*/d'
Trying to avoid re-appearance of this code injection
Its really though to cover every possible way to protect yourself from such attach in this post.If you remember, WordPress community faced this kind of issue because of WP-PhpMyAdmin plugin sometime back. In our case, we found some old WordPress demo sites were having that plugin installed.
To remove WP-PhpMyAdmin plugin form all WordPress sites on your server, execute following command:
find /path/to/webroot -name "wp-phpmyadmin" -type d | xargs rm -rf
Above is all we did to get rid of eval(base64_decode(*)) codes from all files on our test server. If this happens again on our server, I will update this post with added info.
Troubleshooting:
Just in case you end up in a mess, below are some useful commands.Missing <?php tag in the beginning:
To add “<?php: tag in the beginning of index.php files, in case if you remove it accidentally use following command:
find /var/www/ -name "index.php" | grep "/htdocs/index.php" | xargs grep -L "<?php" | xargs sed -i "1s/^/<?php \n/"
Don’t worry. If you already have a “<?php ” tag in the beginning, it won’t be added again.
Extra Newlines at the top!
If you find after cleanup, extra newlines at the top of your code, then use following command to remove trailing newlines. Extra newlines creates problem for blog feeds.
find . -name '*.php' -exec sed -i -e :a -e '/^\n*$/{$d;N;ba' -e '}' '{}' \;
I hope you will find this stuff useful.
相关文章推荐
- remove all provisioning files from xcode 7
- PHP使用eval(gzinflate(str_rot13(base64_decode('BASE64加密后内容'))))核心代码的解密
- How can I remove all "name" files in all of my subdirectories on Linux
- How to load all files from directory using JQuery ?
- [MSDN]TN035: Using Multiple Resource Files and Header Files with Visual C++
- 【 Linux 】lvs-dr模型实现HA,后端Nginx、PHP、MySQL分离 搭建wordpress站点
- [服務架設][系統][LINUX]安裝 PHP 時出現error: Cannot find MySQL header files under yes的錯誤訊息
- remove all .git files and directories use one command
- Rename multiple files in Linux (批量重命名)
- Add/Remove ISAPI Filter to/from IIS Automatically Using Delphi
- Linux+Apache+Mysql+Php源码搭建+phpwind+wordpress
- How to Deploy or Remove a Solution Package Using PowerShell Commands
- php中base64_decode与base64_encode加密解密函数实例
- Linux恢复被删除的文件 How To Recover Deleted Files From Your Linux System
- Decode amf3 object using PHP
- git 报错 How do I remove files saying “old mode 100755 new mode 100644” from unstaged changes in Git?
- Linux - How to remove the new line at the end of file when using vim
- Git: How to remove ignored files from your repository's directory
- Linux Bash script to remove files older than 3 days
- 【原创】linux php环境安装,与wordpress安装