How to recursively remove text from hacked PHP files; or Reading the Man pages, being a man, and not dancing around the question

So you login to your website only to find OMG WE’VE BEEN HAXX0RED!@#!@! Which quite frankly sucks.   It could be any number of issues, but let’s say you suffer from the condition where someone has inserted some encrypted block of txt at the top of each PHP file to execute when you launch the files.

You can fix it, one by one but that’s annoying as all hell and lengthy… going into vi for each file, deleting the first line, rinse, repeat, AHHHH!!!!

So you search the internet with various phrases like “remove text from php file” “how to strip txt out of files” “recursively fix hacked php worpress” I mean the list can and DOES go on, but the point is you end up on Forums and blogs where people are like LET ME SHOW YOU HOW IT’S DONE, resulting in them basically telling you to read the Man Pages.  Hey douche-bag, be a MAN and tell me exactly what I need to do.  The time to ‘learn’ how to do it is all fine and dandy for AFTER I have the problem resolved!   It’d be like going to the Mechanic to get your car fixed and having him laugh at you for not knowing what is wrong, and not fixing it until you can explain how you’d fix it yourself.  Guess what, you’re a dick and this is not a time for a learning lesson!

This is a time for a learning lesson!

If you happen to find yourself in the position to needing to ‘strip’ an arbitrary string of information from one or more files, here’s a way to do it, with an explanation of what each line of this means!

find . -type f -print0 | xargs -0 sed -i ‘s/.*zend.*//g’ *.php

So, some of you may be wondering, “Well, crap that works! I fixed it! but what does it mean and how do I use this to my benefit in the future?!” Here is a breakdown of the syntax and some alternative selections you can choose, and I’ll be explaining it in ‘reverse’ because that’s sort of how it is executing.

sed -i ‘s/.*zend.*//g’ *.php

    sed is a stream editor which with the –i flag is telling the system to edit files “in place” saving out to the original file as opposed to saving to another file name or type. You’ll notice that it calls “’s/” which is to “substitute” the contents of the following which is a search string, in this case *zend.* and what follows the “/g’” helps you choose what to replace the contents with, and in this case, the content will be nothing, e.g. truncate the line.

And lastly the “*.php” at the end specifies on what file types we want to perform this command against.  We could easily choose “*.htm” or even “*”

xargs –0

     What exactly does this mean? Well, this tells the system to expect a ‘null’ character, this is often used in accord with find and –print0 as below

find . –type f –print0

   What is going on here, is the system is going ‘find’ based upon the parameters we specified in the other areas (e.g. *.php) initiating at the current directory of “.”   But then what we get is “-type f” basically tells the system to indicate that a host has been identified as having that ‘string’ of text to replace, and “-print0” will then print out what the “filename” was.

How this basically sums up is the system starting at a base directory starts searching through all subdirectories looking for files which have a certain string of text in them.  When it finds that string of text the print0 will tell xargs to print the name of the file which HAD the string of text.  With the filename identified then sed will step in an execute the ‘replacement’ of the string of text, which in this case basically deletes it.   It continues searching through the directory structure until it has exhausted the criteria of finding .php files which have the data in mind.

Now, you’re not limited to using ‘sed’ for this, you could just as easily run with using “grep –Ev” to find and replace the string of text for you, it really comes down to what you’re comfortable with and how you want to cut it.

Hopefully the lesson here is… Here is a solution to a problem that some of you WILL suffer from in your life and hell, I can go back to use this script again in the event that one of my sites I manage gets screwed up again.    Respectively with a little effort you can use this to find and replace text in files in your environment, say modifying host files en-masse or changing DNS in resolv.conf throughout your environment… Whatever floats your boat!

Special thanks to my twitter friends who tossed out VARIOUS ways to do this!   @Fr3d_org @davidchapa @cody_bunch

Hopefully you found this useful, I sure as hell did!