MohamedGamil/infectedFiles.md

Forked from frosit/infectedFiles.md

Created August 24, 2022 11:18

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/MohamedGamil/8709e76c4ae5a3f614506e9ce36e0053.js"></script>
Save MohamedGamil/8709e76c4ae5a3f614506e9ce36e0053 to your computer and use it in GitHub Desktop.

Download ZIP

Some commands for finding and clearing infected PHP files

Raw

infectedFiles.md

Finding infected files with following bash commands

** Command to list all infected files:

grep -lr --include=*.php "eval(base64_decode" /path/to/webroot
grep -lr --include=*.php "eval" .
grep -lr --include=*.php "base64" .

Command to remove malicious code:

grep -lr --include=*.php "eval(base64_decode" /path/to/webroot | xargs sed -i.bak 's/<?php eval(base64_decode[^;]*;/<?php\n/g'
grep -lr --include=*.php "eval(base64_decode" /path/to/webroot | xargs sed -i.bak '/eval(base64_decode*/d'

Trying to avoid re-appearance of this code injection

find /path/to/webroot -name "wp-phpmyadmin" -type d | xargs rm -rf

Missing `<?php` tag in the beginning:

find /var/www/ -name "index.php" | grep "/htdocs/index.php" | xargs grep -L "<?php" | xargs sed -i "1s/^/<?php \n/"

Extra Newlines at the top!

find . -name '*.php' -exec sed -i -e :a -e '/^\n*$/{$d;N;ba' -e '}' '{}' \;
find -name '*_input*' | xargs rm -rf

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment