pforret · June 6, 2020 10:12
diff --git a/clean_trojan_php.sh b/clean_trojan_php.sh
 #!/bin/bash
 # updated in 2020 because my bash skills were not that sophisticated in 2012
 LIST=/tmp/LIST.TROJANS.$(date '+%Y%m%d').txt
 PATT="eval(base64_decode"
 REGEX="eval\(base64_decode"

 if [[ ! -s "$LIST" ]] ; then
  # find all infected php files and put them in $LIST file
  grep -l -R --include=*.php "$PATT" * > "$LIST"
 fi
 wc -l "$LIST"

 for INPUT in `cat $LIST` ; do
  TEMP="$INPUT.tmp"
  BAD="$INPUT.hacked"
  < "$INPUT" awk 'NR == 1 { gsub(/^<\?php.*><\?php/,"<?php"); print $0 } NR > 1 {print $0}' > "$TEMP"
  mv $INPUT $BAD && mv $TEMP $INPUT
 done
	#!/bin/bash
	# updated in 2020 because my bash skills were not that sophisticated in 2012
	LIST=/tmp/LIST.TROJANS.$(date '+%Y%m%d').txt
	PATT="eval(base64_decode"
	REGEX="eval\(base64_decode"

	if [[ ! -s "$LIST" ]] ; then
	# find all infected php files and put them in $LIST file
	grep -l -R --include=.php "$PATT" > "$LIST"
	fi
	wc -l "$LIST"

	for INPUT in `cat $LIST` ; do
	TEMP="$INPUT.tmp"
	BAD="$INPUT.hacked"
	< "$INPUT" awk 'NR == 1 { gsub(/^<\?php.*><\?php/,"<?php"); print $0 } NR > 1 {print $0}' > "$TEMP"
	mv $INPUT $BAD && mv $TEMP $INPUT
	done