0

I have malicious code in every php file. This malicius code is auto paste at the beginning of file. I want to remove this with UNIX command from console.

This is malicious code:

<?php $guobywgpku = '..... u=$bhpegpvvmc-1; ?>

I write this RegExp, 

"/<\?php \$guobywgpku.*\?>/m"

and this RegExp work. I tested it here.

The problem is, write command which remove this malicious code from every php file on the sever. Please Help me.

Now i have something like this. 

sed "/<\?php \$guobywgpku.*\?>/m" index.php
Tero Kilkanen
  • 34,499
  • 3
  • 38
  • 58
EliaszKubala
  • 127
  • 1
  • 7
  • 2
    Are you doing this as an exercise to improve your command line skills or because you want to clean up the compromise? Because `rm -rf` and downloading Wordpress again is easier and more reliable. – Ladadadada Aug 18 '14 at 06:40
  • If you have been compromised, the only way to remove all traces of the event is to wipe the server. It's very dangerous to assume that you've identified all changes that have been made to the server. – Andrew B Aug 18 '14 at 06:43

1 Answers1

-1

Something like this?

#!/bin/bash
for file in /wordpress/path/*.php
do
sed s/maliciouscode//g $file
done

Not tested ;-)

Put this in a file (e.g. remove.sh) and make it executable (chmod 755 remove.sh). Then execute with ./remove.sh

Make sure you have a backup of your data and declared your variable with the malicious code.

But it would be recommended to reinstall your server.

Vince
  • 153
  • 1
  • 7