This week only. Pastebin PRO Accounts Christmas Special! Don't miss out!Want more features on Pastebin? Sign Up, it's FREE!
Guest

"eva1fYlbakBcVSir" backdoor removal

By: a guest on Mar 18th, 2012  |  syntax: PHP  |  size: 1.93 KB  |  views: 570  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
This paste has a previous version, view the difference. Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. <?php
  2.  
  3. // Grep all instance of the mailicious code
  4. // by doing a grep
  5. $path = "/home/USER/www/"; // ppath to store grep if too large
  6. $pathwebroot = "/home/USER/www/";
  7.  
  8. shell_exec('grep -R -o "eva1fYlbakBcVSir" '.$pathtowebroot.'* > grep.out');
  9.  
  10. $handle = fopen($path."/grep.out", "r");
  11. $cnt = fread($handle, filesize($path."/grep.out"));
  12. fclose($handle);
  13. //$output = shell_ex
  14.  
  15. $arrReplace = explode("
  16. ", $cnt);
  17. // grep sep with :
  18. // then parse with the linebreak
  19. echo 'found '.sizeof( $arrReplace);
  20. sleep(5);
  21. $x = 0;
  22. for($i = 0; $i < sizeof( $arrReplace); $i++) {
  23.         $row = explode(':', $arrReplace[$i]);
  24.         if (sizeof($row) > 1) {
  25.         echo $row[0]." sanitized.\n";
  26.         // open the infected file for reading
  27.         $handle = fopen($row[0], "r");
  28.         $infected = fread($handle, filesize($row[0]));
  29.         fclose($handle);
  30.         // cleaning up
  31.         //$cleared = str_replace('<?php ..', '//:start:', $infected);
  32.         $cleared = explode('<?php @error_reporting(0); if (!isset($eva1fYlbakBcVSir))', $infected);
  33.         $cleared = $cleared[0];
  34.         // saving cleared data
  35.         $fp = fopen($row[0], "w");
  36.         fwrite($fp,$cleared);
  37.         fclose( $fp );
  38.         $x++;
  39.         }
  40.  
  41. }
  42. die(sizeof( $x ).' were fixed.');
  43. ?>
  44.  
  45. // Important To do, before running clean.php
  46. // Create file grep.out and chmod 777 this file.
  47. // Don`t forget to replace USER with your actual account user (the one you wish to clean)
  48. // This script was found over internet, it`s not my work, no copyright infregement here. I`ve just added "-o" grep option so the output would not add the infection to grep.out file, making it oversize and imposible to clean.
  49. // There will be some errors as the grep command will find this file too (didn`t know how to make an exception to it, but it`s not important, you could live with some minor errors).
  50. // WordPress, Joomla and other php-ers I hope this helps you as it did for me too.
clone this paste RAW Paste Data