2

On my server spamming files are uploaded , which start with 

<?php ${"\x47\x4cO\x42A\x4c\x53"}["cgw\x71\x77\x77\x64\x79q"]

I'm trying to find all files on server which is having above string and delete the file. For that I'm using following command. 

 find . | xargs grep -l -r '<?php ${/"\x47\x4cO\x42A\x4c\x53/"}' /home/ | awk '{print "rm "$1}' > doit.sh

But seems it is not working. Anyone have suggestion for command so that i can delete all this malicious file.

SSK
  • 123
  • 2
  • You haven't specified where the files are uploaded (and your find command starts in the current directory so this is crucial). It's also worth noting that you should be looking at how these supposedly malicious uploads are being allowed. – BE77Y Feb 12 '15 at 11:35
  • grep -l -r ' – SSK Feb 12 '15 at 11:47
  • The above command used to find string – SSK Feb 12 '15 at 11:48

1 Answers1

2

It'd be good to know the OS (Linux? Which Distro?). But this one will probably work on most them:

fgrep -rl '<?php ${"\x47\x4cO\x42A\x4c\x53"}["cgw\x71\x77\x77\x64\x79q"]' * |xargs echo rm

I also agree with BE77Y, you should look into how these files are appearing on your server.

Gustavo Maia
  • 391
  • 1
  • 4
  • umm this command is not working – SSK Feb 12 '15 at 12:36
  • 1
    fgrep and xargs do what you asked, instead of find, grep (without the `-F` flag), awk and a file with bash commands in it - in what way does it "not working", be more specific. – AD7six Feb 12 '15 at 13:02
  • 1
    Forgot to note that you should be in the parent directory of where you expect to find these files (probably your DocumentRoot). Also note that this will only print the rm command to STDOUT, not actually execute it (good practice to not execute out of xargs before you're sure it'll do what you want it to do). You could copy/paste it or remove the `echo` and run it again to actually execute. – Gustavo Maia Feb 12 '15 at 13:09
  • this is dangerous, very dangerous. Because you pipe what was found to xargs and delimiter is ' ' rather than null specially crafted file path can lead to deleting unwanted files. – Hrvoje Špoljar Feb 12 '15 at 14:50
  • You mean filenames with spaces or something like that? – Gustavo Maia Feb 12 '15 at 14:54