A few days ago I found out I was invaded by a malicious script that has spread in all the index.php file , config.php and wp -config.php.
几天前,我发现我被所有index.php文件,config.php和wp -config.php中传播的恶意脚本入侵。
I tried to get a code and modify it to look for the files in the folders containing this script and delete it automatically.
我试图获取代码并对其进行修改以查找包含此脚本的文件夹中的文件并自动将其删除。
Unfortunately I did not succeed.
不幸的是我没有成功。
The code starts like this:
代码如下所示:
<?php $J24fj = 'bH1Vrb2sswS7fUn8HyCx.... AND MUCH MORE ?>
This code is always changing, but inside there is a constant: this text: ZXZhbChiYXNlNjRfZGVjb2RlKCJaW
这段代码总是在变化,但里面有一个常量:这个文本:ZXZhbChiYXNlNjRfZGVjb2RlKCJaW
I found this code, how can I change it to search for the constant and delete the entire row <?php ******* ?>
我找到了这段代码,如何更改它以搜索常量并删除整行
<?php
$find='ZXZhbChiYXNlNjRfZGVjb2RlKCJaW';
echo findString('./',$find);
function findString($path,$find){
$return='';
ob_start();
if ($handle = opendir($path)) {
while (false !== ($file = readdir($handle))) {
if ($file != "." && $file != "..") {
if(is_dir($path.'/'.$file)){
$sub=findString($path.'/'.$file,$find);
if(isset($sub)){
echo $sub.PHP_EOL;
}
}else{
$ext=substr(strtolower($file),-3);
if($ext=='php'){
$filesource=file_get_contents($path.'/'.$file);
//The cleaning bit
echo "The string '".htmlentities($find)."' was found in the file '$path/$file and has been removed from the source file.<br />";
$clean_source = preg_replace('#'.$find.'#','',$filesource);
// $clean_source = str_replace($find,'',$filesource);
file_put_contents($path.'/'.$file,$clean_source);
}else{
continue;
}
}
}
}
closedir($handle);
}
$return = ob_get_contents();
ob_end_clean();
return $return;
}
?>
Thanks in advance
提前致谢
Antonio
1 个解决方案
#1
0
Well something like
好吧
preg_replace('/(\<\?php .+?)(ZXZhbChiYXNlNjRfZGVjb2RlKCJaWZXZhbChiYXNlNjRfZGVjb2RlKCJaW)(.+? \?>)/' '',$filesource);
preg_replace('/(\ <\?php。+?)(ZXZhbChiYXNlNjRfZGVjb2RlKCJaWZXZhbChiYXNlNjRfZGVjb2RlKCJaW)(。+?\?>)/''',$ filesource);
should do the trick provided the opening and closing php tags are self-contained, i.e. do not contain any of your own code you wish to keep.
如果开放和关闭php标签是自包含的,即不包含你想保留的任何自己的代码,应该做的伎俩。
Note that preg_replace will work without copying the file's contents into a variable and then copying the new string into the $cleansource variable.
请注意,preg_replace无需将文件内容复制到变量中,然后将新字符串复制到$ cleansource变量中。
Also, you should be careful to make your changes before outputting a string saying that the code has been replaced!
此外,在输出表示代码已被替换的字符串之前,您应该小心进行更改!
#1
0
Well something like
好吧
preg_replace('/(\<\?php .+?)(ZXZhbChiYXNlNjRfZGVjb2RlKCJaWZXZhbChiYXNlNjRfZGVjb2RlKCJaW)(.+? \?>)/' '',$filesource);
preg_replace('/(\ <\?php。+?)(ZXZhbChiYXNlNjRfZGVjb2RlKCJaWZXZhbChiYXNlNjRfZGVjb2RlKCJaW)(。+?\?>)/''',$ filesource);
should do the trick provided the opening and closing php tags are self-contained, i.e. do not contain any of your own code you wish to keep.
如果开放和关闭php标签是自包含的,即不包含你想保留的任何自己的代码,应该做的伎俩。
Note that preg_replace will work without copying the file's contents into a variable and then copying the new string into the $cleansource variable.
请注意,preg_replace无需将文件内容复制到变量中,然后将新字符串复制到$ cleansource变量中。
Also, you should be careful to make your changes before outputting a string saying that the code has been replaced!
此外,在输出表示代码已被替换的字符串之前,您应该小心进行更改!