Purge virus script from all affected files in application

Question

My server has been hit with a nasty javascript iframe virus. The Trojan injects itself in to every index.php, index.html, & login.php files. The virus looks like <script>VirusCodeCrap</script>

Is there anyway I could use PHP's str_replace() function to search my server and delete the virus? Would anyone know wher I could find some examples on how to do this?

Answer 1

I would immediately delete all files from your server and re-upload clean copies from wherever your code repository is. I would also find where the code was exploited and patch that security hole.

Going about it by editing the virus out of your files seems like the long and hard way when you should have a backup of your files ( that haven't been on a live server ).

Answer 2

If you are on a Unix server, sed is the best way to find and replace text in files.

If you must use PHP, the algorithm will be:

1. Read a file into a variable using file_get_contents()

   $file_contents = file_get_contents( $filename );

2. Search for the replace the offending string

   $file_contents = str_replace( $the_offending_text, $the_replacement_text, $file_contents);

3. Write $file_contents back to the file using file_put_contents:

   file_put_contents( $file_contents );

str_replace() may be insufficient if the string is not precisely the same in every case. If there are variations in the offending string, you may need to use a regular expression to locate and remove them.