View difference between Paste ID: <a href="/bPXdMKgb">bPXdMKgb</a> and <a href="/post/view"></a>

View difference between Paste ID: bPXdMKgb and

SHOW: | | - or go back to the newest paste.


<?php

// Grep all instance of the mailicious code
// by doing a grep
$path = "/home/USER/www/"; // ppath to store grep if too large
$pathwebroot = "/home/USER/www/";

shell_exec('grep -R -o "eva1fYlbakBcVSir" '.$pathtowebroot.'* > grep.out');

$handle = fopen($path."/grep.out", "r");
$cnt = fread($handle, filesize($path."/grep.out"));
fclose($handle);
//$output = shell_ex

$arrReplace = explode("
", $cnt);
// grep sep with :
// then parse with the linebreak
echo 'found '.sizeof( $arrReplace);
sleep(5);
$x = 0;
for($i = 0; $i < sizeof( $arrReplace); $i++) {
        $row = explode(':', $arrReplace[$i]);
        if (sizeof($row) > 1) {
        echo $row[0]." sanitized.\n";
        // open the infected file for reading
        $handle = fopen($row[0], "r");
        $infected = fread($handle, filesize($row[0]));
        fclose($handle);
        // cleaning up
        //$cleared = str_replace('<?php ..', '//:start:', $infected);
        $cleared = explode('<?php @error_reporting(0); if (!isset($eva1fYlbakBcVSir))', $infected);
        $cleared = $cleared[0];
        // saving cleared data
        $fp = fopen($row[0], "w");
        fwrite($fp,$cleared);
        fclose( $fp );
        $x++;
        }

}
die(sizeof( $x ).' were fixed.');
?>

// Important To do, before running clean.php
// Create file grep.out and chmod 777 this file.
// Don`t forget to replace USER with your actual account user (the one you wish to clean)
// This script was found over internet, it`s not my work, no copyright infregement here. I`ve just added "-o" grep option so the output would not add the infection to grep.out file, making it oversize and imposible to clean.
// There will be some errors as the grep command will find this file too (didn`t know how to make an exception to it, but it`s not important, you could live with some minor errors).
// WordPress, Joomla and other php-ers I hope this helps you as it did for me too.

1	-
1	+	<?php
2
3		// Grep all instance of the mailicious code
4		// by doing a grep
5		$path = "/home/USER/www/"; // ppath to store grep if too large
6		$pathwebroot = "/home/USER/www/";
7
8		shell_exec('grep -R -o "eva1fYlbakBcVSir" '.$pathtowebroot.'* > grep.out');
9
10		$handle = fopen($path."/grep.out", "r");
11		$cnt = fread($handle, filesize($path."/grep.out"));
12		fclose($handle);
13		//$output = shell_ex
14
15		$arrReplace = explode("
16		", $cnt);
17		// grep sep with :
18		// then parse with the linebreak
19		echo 'found '.sizeof( $arrReplace);
20		sleep(5);
21		$x = 0;
22		for($i = 0; $i < sizeof( $arrReplace); $i++) {
23		$row = explode(':', $arrReplace[$i]);
24		if (sizeof($row) > 1) {
25		echo $row[0]." sanitized.\n";
26		// open the infected file for reading
27		$handle = fopen($row[0], "r");
28		$infected = fread($handle, filesize($row[0]));
29		fclose($handle);
30		// cleaning up
31		//$cleared = str_replace('<?php ..', '//:start:', $infected);
32		$cleared = explode('<?php @error_reporting(0); if (!isset($eva1fYlbakBcVSir))', $infected);
33		$cleared = $cleared[0];
34		// saving cleared data
35		$fp = fopen($row[0], "w");
36		fwrite($fp,$cleared);
37		fclose( $fp );
38		$x++;
39		}
40
41		}
42		die(sizeof( $x ).' were fixed.');
43		?>
44
45		// Important To do, before running clean.php
46		// Create file grep.out and chmod 777 this file.
47		// Don`t forget to replace USER with your actual account user (the one you wish to clean)
48		// This script was found over internet, it`s not my work, no copyright infregement here. I`ve just added "-o" grep option so the output would not add the infection to grep.out file, making it oversize and imposible to clean.
49		// There will be some errors as the grep command will find this file too (didn`t know how to make an exception to it, but it`s not important, you could live with some minor errors).
50		// WordPress, Joomla and other php-ers I hope this helps you as it did for me too.