-3

Possible Duplicate:
My server's been hacked EMERGENCY

Hello, my whole site got hacked possibly by a wordpress exploit, i am in a hurry to explain in detail, but PLEASE do me a favor and look at the following site:

http://download.lacaterinca.com/ninoplas-or-cechriecom-base64-virus-on-wordpress-and-all-php-files-how-to-remove-via-ssh-godaddy/

In there it says at some point:

Now, you have to type in the following to get to your folder where you have your html/php files and all the installations (don’t forget to hit enter after):

cd html

You almost cleaned up your website. The following code has to be copy pasted into the the PUTTY window:

find . -type f -name "*.php" -exec sed -i '/base64_decode/d' {} \;

For pasting into the PUTTY window, just press right click where you should insert the code. (The code here is searching all the php files for the base64_decode tag and if it finds it, then it removes it together with the entire malware code. This will check all files and folders under the one you have accessed earlier, in this case the “html” folder which is the root of your files)

Can someone tell me if the explanation of this guy is true?

find . -type f -name "*.php" -exec sed -i '/base64_decode/d' {} \;

Is the above command safe? Will it edit the infected files or just remove them alltogether?

THANKS for any replies.

UPDATE: Unfortunately the command deleted the whole line where the base64_encode line was. The problem is that this line also contained the opening <?php tag of the file! So right now, all my index.php pages (only index.php was infected) display all the code instead of executing it :( Is it possible to run another command that adds the <?php tag in every index.php that does not begin with "any number of white space<?php"?

UPDATE 2: Thanks for anyone who answered. Also congrats to everyone who downvoted a person for not taking the proper action while in panic mode. Good luck if it happens to your site...

Community
  • 1
fractalbit
  • 101
  • 1
  • 3
    Should be safe, but I wouldn't trust it to remove an infection completely. Restore from your non-infected backup or set it up again. – slhck May 07 '11 at 12:33
  • Thank you very much slhck. The website is very large and i believe the infection cause was a wordpress installation (when a certain module installed, all hell broke lose). What i am thinking is: Restore a clean backup of the worpress installation and then running the command above. At least i want to try before i restore the whole 300GB of the whole site and also lose recent messages in a very active forum etc... –  May 07 '11 at 12:39
  • From the link you posted it seems that only Wordpress is the cause. You can remove these lines with `sed` but then I'd strongly advise you to update Wordpress to the latest release available. – slhck May 07 '11 at 12:48
  • Unfortunately the command deleted the whole line where the base64_encode line was. The problem is that this line also contained the opening –  May 07 '11 at 13:58
  • 2
    This is what happens when you try to do major surgery in a panic. Yes, you can run a command that adds the ` –  May 07 '11 at 14:53
  • Well the page said nothing about it deleting php statements, but I'd suggest just going through all index pages manually. – slhck May 07 '11 at 15:07
  • @slhck: That sed command deletes the entire line. –  May 07 '11 at 16:44
  • 2
    As you've discovered, it is best to test things out non-destructively, or (if you must do it destructively) with a backup. Actually, the backup is a good idea regardless. The search pattern also deletes lines that contain names such as `not_base64_decoded_yet`, which is probably not what was intended. The removal script was written without sufficient forethought, and applied without sufficient forethought. – Jonathan Leffler May 07 '11 at 17:56

2 Answers2

12

What the heck people? "my whole site got hacked" = Nuke it from orbit and restore from backup.

If you really want to, keep a backup copy and investigate it for evidence of how they got in and how to prevent the same thing from happening again. Do not run anything on the machine; get it offline as quick as possible.

Chris S
  • 77,337
  • 11
  • 120
  • 212
1

It's too late now, but consider using the optional backup extension to sed's -i in the future: sed -i.bak ... saves a backup file with .bak as its extension.

That said, I think this may be what you need now:

sed -i.bak '1s/^[ \t]*..php//g; 1s/^/<?php /' file.php

This first deletes the <?php if it's there and then inserts <?php. It should be functionally equivalent to inserting it only if it's not there already.

Eduardo Ivanec
  • 14,531
  • 1
  • 35
  • 42