0

A website I'm hosting on my dedicated server has been hacked. Some pictures have been infected with things like <?php eval(base64_decode(....));?>. I'm looking for a generic shell command which would able to read the headers of the most common image types (jpg, gif, tiff, etc.).

I tried jhead and others, jut jhead can only read EXIF data from JPG.

The aim is to find all infected images like this :

find -type f \( -iname "*jpg" -or -iname "*.jpeg" -or ... \) -exec sh -c 'magicimgheadersdisplay "{}" | grep eval" \;
Fox
  • 952
  • 2
  • 12
  • 21

2 Answers2

2

strings will display any printable bits it finds in a file. From there you can feed it into grep to find text within.

Ignacio Vazquez-Abrams
  • 45,019
  • 5
  • 78
  • 84
0

grep -l can be used to report infected files. Try a command like 

find -type f \( -iname "*jpg" -or -iname "*.jpeg" -or ... \) -print0 | xargs -0 grep -l '<?php eval(base64_decode'

The -print0 and -0 arguments allow filenames and paths to contain spaces.

BillThor
  • 27,354
  • 3
  • 35
  • 69
  • THank you very much. It's what I wanted! I succeeded to build my final command with your answer : `view -M "+set grepprg=grep\ -an\ \$*\ /dev/null" "+call setqflist([])" "+silent! bufdo silent! grepadd! eval %" "+cw" $(find -type f \( -iname "*.jpg" -or -iname "*.jpeg" -or -iname "*.gif" -or -iname "*.tiff" -or -iname "*.png" \) -print0 | xargs -0 grep -l 'eval')` – Fox Jul 06 '13 at 02:44