One of my sites got infected with some malicious code. The code is only added to the first line of all PHP files and is as follows:
<?php $ulhmjwklj = '#-#O#-#N# .......xqxe-1; ?> /*BEGIN LEGIT CODE HERE*/ <?php....
The malicious code is thousands of characters long with lots of special characters and spacing, so I tried creating a script to remove it:
for i in $(find . -name \*.php); do
sed -i -E "s/<\?php\s$ulhmjwklj.*\?>//" $i;
echo $i;
done;
This sed command will correctly remove the malicious code while leaving legitimate code on the first line, but then in all subsequent lines it removes all <?php ... ?> tags. So I tried altering the sed command to only search/replace on the first line:
for i in $(find . -name \*.php); do
sed -i -E "1s/<\?php\s$ulhmjwklj.*\?>//" $i;
done;
Now the sed command will only run on the first line of each file, but it also removes any legitimate PHP tags which are appended to the first line directly after the malicious code.
Can someone please explain where I'm going wrong here?
