How to recursively remove text from hacked PHP files; or Reading the Man pages, being a man, and not dancing around the question

June 7th, 2013
by Christopher Kusek (PKGuild)

So you login to your website only to find OMG WE’VE BEEN HAXX0RED!@#!@! Which quite frankly sucks.   It could be any number of issues, but let’s say you suffer from the condition where someone has inserted some encrypted block of txt at the top of each PHP file to execute when you launch the files.

You can fix it, one by one but that’s annoying as all hell and lengthy… going into vi for each file, deleting the first line, rinse, repeat, AHHHH!!!!

So you search the internet with various phrases like “remove text from php file” “how to strip txt out of files” “recursively fix hacked php worpress” I mean the list can and DOES go on, but the point is you end up on Forums and blogs where people are like LET ME SHOW YOU HOW IT’S DONE, resulting in them basically telling you to read the Man Pages.  Hey douche-bag, be a MAN and tell me exactly what I need to do.  The time to ‘learn’ how to do it is all fine and dandy for AFTER I have the problem resolved!   It’d be like going to the Mechanic to get your car fixed and having him laugh at you for not knowing what is wrong, and not fixing it until you can explain how you’d fix it yourself.  Guess what, you’re a dick and this is not a time for a learning lesson!

This is a time for a learning lesson!

If you happen to find yourself in the position to needing to ‘strip’ an arbitrary string of information from one or more files, here’s a way to do it, with an explanation of what each line of this means!

find . -type f -print0 | xargs -0 sed -i ‘s/.*zend.*//g’ *.php

So, some of you may be wondering, “Well, crap that works! I fixed it! but what does it mean and how do I use this to my benefit in the future?!” Here is a breakdown of the syntax and some alternative selections you can choose, and I’ll be explaining it in ‘reverse’ because that’s sort of how it is executing.

sed -i ‘s/.*zend.*//g’ *.php

    sed is a stream editor which with the –i flag is telling the system to edit files “in place” saving out to the original file as opposed to saving to another file name or type. You’ll notice that it calls “’s/” which is to “substitute” the contents of the following which is a search string, in this case *zend.* and what follows the “/g’” helps you choose what to replace the contents with, and in this case, the content will be nothing, e.g. truncate the line.

And lastly the “*.php” at the end specifies on what file types we want to perform this command against.  We could easily choose “*.htm” or even “*”

xargs –0

     What exactly does this mean? Well, this tells the system to expect a ‘null’ character, this is often used in accord with find and –print0 as below

find . –type f –print0

   What is going on here, is the system is going ‘find’ based upon the parameters we specified in the other areas (e.g. *.php) initiating at the current directory of “.”   But then what we get is “-type f” basically tells the system to indicate that a host has been identified as having that ‘string’ of text to replace, and “-print0” will then print out what the “filename” was.

How this basically sums up is the system starting at a base directory starts searching through all subdirectories looking for files which have a certain string of text in them.  When it finds that string of text the print0 will tell xargs to print the name of the file which HAD the string of text.  With the filename identified then sed will step in an execute the ‘replacement’ of the string of text, which in this case basically deletes it.   It continues searching through the directory structure until it has exhausted the criteria of finding .php files which have the data in mind.

Now, you’re not limited to using ‘sed’ for this, you could just as easily run with using “grep –Ev” to find and replace the string of text for you, it really comes down to what you’re comfortable with and how you want to cut it.

Hopefully the lesson here is… Here is a solution to a problem that some of you WILL suffer from in your life and hell, I can go back to use this script again in the event that one of my sites I manage gets screwed up again.    Respectively with a little effort you can use this to find and replace text in files in your environment, say modifying host files en-masse or changing DNS in resolv.conf throughout your environment… Whatever floats your boat!

Special thanks to my twitter friends who tossed out VARIOUS ways to do this!   @Fr3d_org @davidchapa @cody_bunch

Hopefully you found this useful, I sure as hell did!

Tags: , , , , , , ,
Posted in Blog, Education, Friends, Informational, Social Media, tools, Twitter | Comments (161)

  • http://pregnancybodypillow.org/ snoogle total body pillow

    An intriguing discussion is definitely worth comment. I believe that you need to write more on this issue, it might not be a taboo subject but usually people do not talk about these topics. To the next! Many thanks!!

  • http://www.hfchaster.com adonis golden ratio

    How do I make firefox show at the top of my start list?

  • http://badcreditautomotive.blogspot.com Site Link

    This is with the utmost importance since this is planning to prove the expertise of the agency.

  • http://www.modcontrollers.net/ modified controller

    Greetings! Very helpful advice within this article! It is the little changes that produce the largest changes. Thanks for sharing!

  • https://denote.io/ how to search a website with google

    Spot on with this write-up, I actually think this web site needs far more attention. I’ll probably be returning to read more, thanks for the advice!

  • http://bp-style.com startup homepage

    This web site certainly has all the information and facts I wanted about this subject and didn’t know who to ask.

  • http://www.golfballsdirect.co.nz/product-category/new-balls/srixon new srixon balls

    Hi there, There’s no doubt that your site may be having web browser compatibility issues. Whenever I look at your website in Safari, it looks fine but when opening in IE, it has some overlapping issues. I simply wanted to provide you with a quick heads up! Aside from that, great website!

  • http://www.marshallstearns.com/las-vegas-mls-map-search/ Las Vegas Home Search

    Very nice article. I absolutely appreciate this site. Stick with it!

  • http://www.lovelldeco.fr/ home staging Carcassonne

    Can I just say what a relief to find somebody who truly knows what they are discussing online. You actually know how to bring a problem to light and make it important. More people really need to look at this and understand this side of the story. I was surprised you are not more popular because you certainly possess the gift.

  • http://lexsworld.ca/contact-lex/ Visit This Website

    I like this article. I hope you continue to keep submitting posts, I’ll be checking often. Thank you partner.

  • http://ordacenter.com/html/xe/?document_srl=105899 Unknown

    Now we ought to include that you will find lots of conditions attached for the offer
    Unknown gas stations and convenience stores with fuel depreciate
    considerably faster than other kinds of properties.

  • Archives