Mass removal of malicious line from php files

Question

This was addressed briefly here: Removing a string in a PHP file with Start and End but I'm looking for a solution to the same code. The first line of every PHP file on the server begins with <?php if(!isset($GLOBALS[ and ends with -1; ?>. and in the middle is a long string of code that varies from file to file.

I'm trying to come up with a script to remove this line from all files. I'm running into the same wall as the guy in the previous post.

Using:

sed -e '1 s/^<\?php if(!isset($GLOBALS\[.*-1; \?>//' *.php

in a UNIX environment prints the PHP file without the code, but does not save it. What am I missing?

Answer 1

Use sed's -i option, so that sed modifies the PHP files.

-i[SUFFIX], --in-place[=SUFFIX]
edit files in place (makes backup if extension supplied)

The [SUFFIX] part is optional but some sed implementations require you to provide it.

In your case, you could try this:

sed -i.bak 's/^<\?php if(!isset($GLOBALS\[.*-1; \?>//' *.php

Read man sed for more info.

Answer 2

I wrote a script to clean all files in all directories and sub directories. I recommend you backup 1st. This is done from inside the shell

First create a file called fixmacro in your home directory and add the following 2 lines to it

:1/ua=strtolower/s/^.*<?php$/<?php/
:wq

Next from the directory where the infected files are or you can run it from your home directory run the following command.

find . -name *.php -exec vi -s ~/fixmacro {} \;

This will go to every php look for the infected lines and remove them. If these are no infected files it resaves the file with no changes/

Answer 3

Got it working, thanks for the advice on using -i. The working command is: sed -i.bak 's/^<\?php if(!isset($GLOBALS\[.*-1; \?>//' *.php