0

Possible Duplicate:
My server's been hacked EMERGENCY

my php based website got infected with malware, which added something like this in the code:

<?php eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWh));

Now i want to replace all the "eval(" till its ending braces "));" with space or delete all those occurences, either with sed or other tools.

i have tried this

sed 's/eval\*/ /g' code.php

But its not working.

What can be its solution?

Thanks in advance.

Community
  • 1
Farhan
  • 4,210
  • 9
  • 47
  • 76
  • 2
    If you get infected with malware, don't try to "clean" it. Start over from a backup. Also, just editing this stuff out will last a few minutes or hours before the attacker does it all over again. Find the root cause and make sure it can't happen again on the newly installed machine – Sven Mar 15 '12 at 08:45
  • @SvenW: i had backups, but they were old. so the only way is to replace the text. And i have found the root cause and fixed it, now just need to clean the code. – Farhan Mar 15 '12 at 08:48
  • IMO, 'the backups were too old' is not a valid answer to solving the problem. Never trust a compromised site/server. You do not know what else got changed. Take your old backups, and edit the code from there. Learn from this experience. Your only way is a dangerous one, because you don't want to put time in it. – Lucas Kauffman Mar 15 '12 at 08:50
  • @LucasKauffman I am already aware of the dangers of it, what i am doing, i cannot tell everything in detail. – Farhan Mar 15 '12 at 08:52

1 Answers1

4

As SvenW says the only real solution to this is to reinstall from a known good backup. You could try 

sed 's/eval(.*);//' code.php

which given your input produces

<?php

But you don't know what damage has been done to the system so nuke it from orbit and restore from a known good backup - it's the only way to be sure.

user9517
  • 114,104
  • 20
  • 206
  • 289