How to recursively remove text from hacked PHP files; or Reading the Man pages, being a man, and not dancing around the question

So you login to your website only to find OMG WE’VE BEEN HAXX0RED!@#!@! Which quite frankly sucks.   It could be any number of issues, but let’s say you suffer from the condition where someone has inserted some encrypted block of txt at the top of each PHP file to execute when you launch the files.

You can fix it, one by one but that’s annoying as all hell and lengthy… going into vi for each file, deleting the first line, rinse, repeat, AHHHH!!!!

So you search the internet with various phrases like “remove text from php file” “how to strip txt out of files” “recursively fix hacked php worpress” I mean the list can and DOES go on, but the point is you end up on Forums and blogs where people are like LET ME SHOW YOU HOW IT’S DONE, resulting in them basically telling you to read the Man Pages.  Hey douche-bag, be a MAN and tell me exactly what I need to do.  The time to ‘learn’ how to do it is all fine and dandy for AFTER I have the problem resolved!   It’d be like going to the Mechanic to get your car fixed and having him laugh at you for not knowing what is wrong, and not fixing it until you can explain how you’d fix it yourself.  Guess what, you’re a dick and this is not a time for a learning lesson!

This is a time for a learning lesson!

If you happen to find yourself in the position to needing to ‘strip’ an arbitrary string of information from one or more files, here’s a way to do it, with an explanation of what each line of this means!

find . -type f -print0 | xargs -0 sed -i ‘s/.*zend.*//g’ *.php

So, some of you may be wondering, “Well, crap that works! I fixed it! but what does it mean and how do I use this to my benefit in the future?!” Here is a breakdown of the syntax and some alternative selections you can choose, and I’ll be explaining it in ‘reverse’ because that’s sort of how it is executing.

sed -i ‘s/.*zend.*//g’ *.php

    sed is a stream editor which with the –i flag is telling the system to edit files “in place” saving out to the original file as opposed to saving to another file name or type. You’ll notice that it calls “’s/” which is to “substitute” the contents of the following which is a search string, in this case *zend.* and what follows the “/g’” helps you choose what to replace the contents with, and in this case, the content will be nothing, e.g. truncate the line.

And lastly the “*.php” at the end specifies on what file types we want to perform this command against.  We could easily choose “*.htm” or even “*”

xargs –0

     What exactly does this mean? Well, this tells the system to expect a ‘null’ character, this is often used in accord with find and –print0 as below

find . –type f –print0

   What is going on here, is the system is going ‘find’ based upon the parameters we specified in the other areas (e.g. *.php) initiating at the current directory of “.”   But then what we get is “-type f” basically tells the system to indicate that a host has been identified as having that ‘string’ of text to replace, and “-print0” will then print out what the “filename” was.

How this basically sums up is the system starting at a base directory starts searching through all subdirectories looking for files which have a certain string of text in them.  When it finds that string of text the print0 will tell xargs to print the name of the file which HAD the string of text.  With the filename identified then sed will step in an execute the ‘replacement’ of the string of text, which in this case basically deletes it.   It continues searching through the directory structure until it has exhausted the criteria of finding .php files which have the data in mind.

Now, you’re not limited to using ‘sed’ for this, you could just as easily run with using “grep –Ev” to find and replace the string of text for you, it really comes down to what you’re comfortable with and how you want to cut it.

Hopefully the lesson here is… Here is a solution to a problem that some of you WILL suffer from in your life and hell, I can go back to use this script again in the event that one of my sites I manage gets screwed up again.    Respectively with a little effort you can use this to find and replace text in files in your environment, say modifying host files en-masse or changing DNS in resolv.conf throughout your environment… Whatever floats your boat!

Special thanks to my twitter friends who tossed out VARIOUS ways to do this!   @Fr3d_org @davidchapa @cody_bunch

Hopefully you found this useful, I sure as hell did!

EMC and @lynxbat Present: A Chiropractor for your Virtual Machines

You ever notice how some of your VMs lean a little to the left, or a little to the right? No, of course, you don’t, that’s absolutely ridiculous! :)

But seriously, the matter of VM Disk Alignment is a very serious one which should not be ignored!    Up until this point the means of correcting it was driven around due diligence, and annoying steps to correct existing VMDK, VHD, etc file types.   Well, through the power of UBERism, Nick Weaver rockstar has turned this problem on its side!

In his recent blog post: Straighten up with a new UBER tool : Presenting UBERAlign he outlines, details and takes you through *everything*, Okay seriously my first impression of this?   I saw this originally mentioned in an internal email announcing it, and as I read the high-lights in the email I teared up a little bit (oddly, I’m doing it again!) Why? This is a seriously OMG moment for those of you who have suffered through this problem!   If you don’t know if you suffer from VM Disk alignment? Then, chances are you do. It’s actually that simple ;)   If you know you’ve taken very specific steps to correct alignment, then and only then can you almost ‘ignore’ this, but still I encourage you to check it out!

UBERAlign - VM Disk Alignment by Nick Weaver @Lynxbat

Some of the highlights and features I’d like to mention! (Stolen directly from Nicks Blog Post, so Nyah! ;))

  • Allows for fast alignment checking of virtual machines with detailed logging.
  • Can perform alignment to any offset you want. Even the crazy ones that you shouldn’t choose.
  • Works with both Windows 2000/XP/2003/2008 (NTFS) and Linux Distros (EXT2/EXT3/EXT4).
  • Is able to work on NTFS boot drives perfectly. It does this by rewriting NTFS Metadata (the right way).
  • Auto detects Windows 2008 and Windows 7 native installs (alignment not needed). Will not touch a System Reserved Partition (important for Windows 2008).
  • Preserves all Windows drive mapping (AFAIK only one to do so). This means no having to remap drive letters and complete support for non “C:\”system drives with some Windows builds (some Citrix stuff).
  • Doesn’t trash the NTFS and Boot mirrors like other tools.
  • Handles Primary and Extended partitions like it is no big deal on both Windows and Linux.
  • Has the ability to handle multiple disks for a VM.
  • Multiple disks + Multiple Partitions + Multiple types (primary, logical) + Multiple file systems (NTFS, EXT#) =  no problem
  • Also allows for optional Space Reclamation on both NTFS and Ext! That’s right: you can choose to do space reclamation at the same time as an alignment or as a option to itself. This means you can retrieve space no longer used on Thin VM’s using UBERAlign.

AND OMG MORE MORE MORE MORE MORE MORE!!!!! Yea seriously!

This is the kind of tool which dreams are made of. Yes, those kind of dreams which often cost a serious amount of money to solve for a problem too! WOWMG FREE?!?! Yea baby. If I’m mistaken there, let me know.. :)

UBERAlign Console 1.1.1 – FTP

UBERAlign vAligner OVA (~500 MB) – FTP 

I highly encourage you check out the original blog post Straighten up with a new UBER tool : Presenting UBERAlign so you can get ALL the details including the videos walking through the use of the tool!    It’s pretty damn exciting, and quite a major epic scale accomplishment!   From Nick’s videos alone you can make walk-through screenshot tutorials on how to do things too! I would, but seriously! Just check out the videos.  If there is enough demand for it… I’ll do that, but hey, you’re lucky I’m writing a blog post in the first place! ;)

RichCopy under the covers – File Migrations exposed!

I’m sure by now you’ve read my introduction to RichCopyIntroducing RichCopy – your Robocopy replacement!  Well, today I spent some time doing speeds and feed tests over numerous protocols in my lab environment.  I want to establish a disclaimer that this is no way a reflection of the ‘speed’ you will get, or not get respectively – More that the sheer differences between single threaded operation (re:xcopy, robocopy, rsync for windows) will be infinitely improved when using this tool! Oh, and I’ll also go into some of the cool depth you can cover!

I ran a number of very small file copies (<4k file size files) in the 15,000 to 90,000 file range and got the following results!

Speeds and Feeds tests!

The specific items I want to call out here are – when doing a single threaded copy (such as the CIFS job which took 57:16 – well, frankly that is as close to a ‘robocopy’ or ‘xcopy’ we’d get and when you compare it to slightly increasing the number of simultaneous threads – OMFG look at the results! Cut down by a lot of the time! Imagine if that were your production data migration – Cutting that seriously by 1/6th or even more depending upon the workload! The same can be said if you have ‘changed’ data that it is looking to update only the changed blocks.  So much potential!  This particular host was a slooooow VM which can somewhat explain why in general it was slow.  However the slowness is reflective across the board, so the 1/6th speed improvement is likely to be the same if not better in any other situation or circumstance! 

I definitely encourage checking it out, as well as the numerous advanced features this tool offers.

These advanced features… I’m going to discuss in a few moments as well ;)

For those of you who are new to RichCopy – Honestly you can get by with the simplest of actions by simply modifying your thread numbers.  But if you want to get into the special details of it, let me reveal to you a number of VERY cool functions and features.  Oh and might I add, ADVANCED features that let you take it up a notch, not to mention the amazing HELP file too!

Starting with the mothership of all functions! The Advanced option! Which enables a whole series of new options enabled when you go to your File Copy options!

Taking RichCopy to the Advanced! File Copy Options Process Control

The Process Control lets you really dive down into some functions such as your cache sizes and more! Really quite cool.  Though frankly as I jump to the “Others” section, one of the coolest features if the fact that when you modify your options in the GUI, you are presented with your CLI parameters!

Command Line Parameters - CLI so cool!

Though don’t get me wrong, File Attributes, Error handling, inclusion and exclusions, FTP and other things themselves –are- quite cool!

File Attributes and Error Handling Inclusion (Exclusion looks the same, so I didn't dup it!) FTP, Other and more!

Though hands down, the most important part of this tool is the fact that it EXISTS, it is FREE and it is fricking COOL!   So, there’s no reason to sit idly by paying for SecureCopy, or watching your serial operations SLOWLY move by as you migrate data! Get out there, and play around with RichCopy today! It’ll make you wish you had this tool for the past 10 years like MS had!