christoph-jerolimov · May 6, 2012 15:27
diff --git a/fixit.sh b/fixit.sh
 #!/bin/bash
 #
 # Copyright 2012 Christoph Jerolimov, Dominik Schilling
 #
 #   0) No, i did not developed this for myself/my server. ;-)
 #   1) I strongly recommend you to reinstall all your server software,
 #   inclusive the whole operating system like linux, unix, etc. If you
 #   use a web hosting service, backup your data and request your
 #   provider for a fresh system. If this is not possible feel free to
 #   try this script.
 #   2) But before fixing your php files it's absolutely recommended to
 #   change all your server passwords, update your software and re-check
 #   all security settings!
 #   3) After that, use this small script to recognize infected php files
 #   and remove all „illegal“ parts of them!
 #   4) Notice that this script may, but this is an incredibly case,
 #   damage correct parts of your php files.
 #
 # Copyleft / NOTICE
 #
 #   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 #   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 #   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 #   FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 #   COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 #   INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 #   BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 #   LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 #   CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 #   STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 #   ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 #   OF THE POSSIBILITY OF SUCH DAMAGE.

 IFS=`echo -en "\n\b"`

 echo >&2
 head -n 32 $0 | tail -n 30 | sed 's/^#/ /' >&2
 echo >&2

 if [ "$1" = "--search" ]
 then
 	echo "search infected files in" `pwd` >&2
 	grep '[0-9a-fA-F]\{32\}_on' -r . -ls | grep 'php$'

 elif [ "$1" = "--fix" ]
 then
 	echo "search infected files and try to fix them in" `pwd` >&2
 	for i in `grep '[0-9a-fA-F]\{32\}_on' -r . -ls | grep 'php$' | grep -v 'infected$'`
 	do
 		echo fix "$i"
 		mv "$i" "$i.infected"
 		cat "$i.infected" | sed 's/[0-9a-fA-F]\{32\}_on.*[0-9a-fA-F]\{32\}_off//g' > "$i"
 	done

 elif [ "$1" = "--removebackup" ]
 then
 	echo "remove all infected BACKUP (.infected) files in" `pwd` >&2
 	grep '[0-9a-fA-F]\{32\}_on' -r . -ls --null | xargs -0 -n 1 echo | grep 'php.infected$' --null | xargs -0 rm -vf

 elif [ "$1" = "--removeall" ]
 then
 	echo "remove ALL infected files in" `pwd` >&2
 	grep '[0-9a-fA-F]\{32\}_on' -r . -ls --null | xargs -0 -n 1 echo | grep '\(php\|php.infected\)$' --null | xargs -0 rm -vf

 else
 	echo >&2
 	echo "  Usage, sorry no --help:" >&2
 	echo >&2
 	echo "    $0 [--search|--fix|--removebackup|--removeall]" >&2
 	echo >&2
 fi
	#!/bin/bash
	#
	# Copyright 2012 Christoph Jerolimov, Dominik Schilling
	#
	# 0) No, i did not developed this for myself/my server. ;-)
	# 1) I strongly recommend you to reinstall all your server software,
	# inclusive the whole operating system like linux, unix, etc. If you
	# use a web hosting service, backup your data and request your
	# provider for a fresh system. If this is not possible feel free to
	# try this script.
	# 2) But before fixing your php files it's absolutely recommended to
	# change all your server passwords, update your software and re-check
	# all security settings!
	# 3) After that, use this small script to recognize infected php files
	# and remove all „illegal“ parts of them!
	# 4) Notice that this script may, but this is an incredibly case,
	# damage correct parts of your php files.
	#
	# Copyleft / NOTICE
	#
	# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
	# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
	# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
	# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
	# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
	# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
	# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
	# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
	# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
	# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
	# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
	# OF THE POSSIBILITY OF SUCH DAMAGE.

	IFS=`echo -en "\n\b"`

	echo >&2
	head -n 32 $0 \| tail -n 30 \| sed 's/^#/ /' >&2
	echo >&2

	if [ "$1" = "--search" ]
	then
	echo "search infected files in" `pwd` >&2
	grep '[0-9a-fA-F]\{32\}_on' -r . -ls \| grep 'php$'

	elif [ "$1" = "--fix" ]
	then
	echo "search infected files and try to fix them in" `pwd` >&2
	for i in `grep '[0-9a-fA-F]\{32\}_on' -r . -ls \| grep 'php$' \| grep -v 'infected$'`
	do
	echo fix "$i"
	mv "$i" "$i.infected"
	cat "$i.infected" \| sed 's/[0-9a-fA-F]\{32\}_on.*[0-9a-fA-F]\{32\}_off//g' > "$i"
	done

	elif [ "$1" = "--removebackup" ]
	then
	echo "remove all infected BACKUP (.infected) files in" `pwd` >&2
	grep '[0-9a-fA-F]\{32\}_on' -r . -ls --null \| xargs -0 -n 1 echo \| grep 'php.infected$' --null \| xargs -0 rm -vf

	elif [ "$1" = "--removeall" ]
	then
	echo "remove ALL infected files in" `pwd` >&2
	grep '[0-9a-fA-F]\{32\}_on' -r . -ls --null \| xargs -0 -n 1 echo \| grep '\(php\\|php.infected\)$' --null \| xargs -0 rm -vf

	else
	echo >&2
	echo " Usage, sorry no --help:" >&2
	echo >&2
	echo " $0 [--search\|--fix\|--removebackup\|--removeall]" >&2
	echo >&2
	fi