<?php
// Grep all instance of the mailicious code
// by doing a grep
$path = "/home/USER/www/"; // ppath to store grep if too large
$pathwebroot = "/home/USER/www/";
shell_exec('grep -R -o "eva1fYlbakBcVSir" '.$pathtowebroot.'* > grep.out');
$handle = fopen($path."/grep.out", "r");
$cnt = fread($handle, filesize($path."/grep.out"));
fclose($handle);
//$output = shell_ex
$arrReplace = explode("
", $cnt);
// grep sep with :
// then parse with the linebreak
echo 'found '.sizeof( $arrReplace);
sleep(5);
$x = 0;
for($i = 0; $i < sizeof( $arrReplace); $i++) {
$row = explode(':', $arrReplace[$i]);
if (sizeof($row) > 1) {
echo $row[0]." sanitized.\n";
// open the infected file for reading
$handle = fopen($row[0], "r");
$infected = fread($handle, filesize($row[0]));
fclose($handle);
// cleaning up
//$cleared = str_replace('<?php ..', '//:start:', $infected);
$cleared = explode('<?php @error_reporting(0); if (!isset($eva1fYlbakBcVSir))', $infected);
$cleared = $cleared[0];
// saving cleared data
$fp = fopen($row[0], "w");
fwrite($fp,$cleared);
fclose( $fp );
$x++;
}
}
die(sizeof( $x ).' were fixed.');
?>
// Important To do, before running clean.php
// Create file grep.out and chmod 777 this file.
// Don`t forget to replace USER with your actual account user (the one you wish to clean)
// This script was found over internet, it`s not my work, no copyright infregement here. I`ve just added "-o" grep option so the output would not add the infection to grep.out file, making it oversize and imposible to clean.
// There will be some errors as the grep command will find this file too (didn`t know how to make an exception to it, but it`s not important, you could live with some minor errors).
// WordPress, Joomla and other php-ers I hope this helps you as it did for me too.