2017-02-16 18:38 阅读 142


One of my sites got infected with some malicious code. The code is only added to the first line of all PHP files and is as follows:

<?php $ulhmjwklj = '#-#O#-#N# .......xqxe-1; ?> /*BEGIN LEGIT CODE HERE*/ <?php....

The malicious code is thousands of characters long with lots of special characters and spacing, so I tried creating a script to remove it:

for i in $(find . -name \*.php); do
  sed -i -E "s/<\?php\s$ulhmjwklj.*\?>//" $i;
  echo $i;

This sed command will correctly remove the malicious code while leaving legitimate code on the first line, but then in all subsequent lines it removes all <?php ... ?> tags. So I tried altering the sed command to only search/replace on the first line:

for i in $(find . -name \*.php); do
  sed -i -E "1s/<\?php\s$ulhmjwklj.*\?>//" $i;

Now the sed command will only run on the first line of each file, but it also removes any legitimate PHP tags which are appended to the first line directly after the malicious code.

Can someone please explain where I'm going wrong here?

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享

1条回答 默认 最新

  • 已采纳
    dtqqq24248 dtqqq24248 2017-02-16 19:04

    The results of find should not be put through a loop. And, as I mentioned in the comments, $ is a special character for both Bash and a regular expression so has to be dealt with appropriately.

    Finally, as jm666 mentioned in comments, .* is greedy, so .*? limits the search to be as small as possible. But this won't work in sed so we need to use perl instead:

    find . -name '*.php' -print -exec perl -p -i -e 's/<\?php \$ulhmjwklj.*?\?>//' {} \;
    点赞 评论 复制链接分享