SHARE
TWEET

"eva1fYlbakBcVSir" backdoor removal

a guest Mar 18th, 2012 630 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?php
  2.  
  3. // Grep all instance of the mailicious code
  4. // by doing a grep
  5. $path = "/home/USER/www/"; // ppath to store grep if too large
  6. $pathwebroot = "/home/USER/www/";
  7.  
  8. shell_exec('grep -R -o "eva1fYlbakBcVSir" '.$pathtowebroot.'* > grep.out');
  9.  
  10. $handle = fopen($path."/grep.out", "r");
  11. $cnt = fread($handle, filesize($path."/grep.out"));
  12. fclose($handle);
  13. //$output = shell_ex
  14.  
  15. $arrReplace = explode("
  16. ", $cnt);
  17. // grep sep with :
  18. // then parse with the linebreak
  19. echo 'found '.sizeof( $arrReplace);
  20. sleep(5);
  21. $x = 0;
  22. for($i = 0; $i < sizeof( $arrReplace); $i++) {
  23.         $row = explode(':', $arrReplace[$i]);
  24.         if (sizeof($row) > 1) {
  25.         echo $row[0]." sanitized.\n";
  26.         // open the infected file for reading
  27.         $handle = fopen($row[0], "r");
  28.         $infected = fread($handle, filesize($row[0]));
  29.         fclose($handle);
  30.         // cleaning up
  31.         //$cleared = str_replace('<?php ..', '//:start:', $infected);
  32.         $cleared = explode('<?php @error_reporting(0); if (!isset($eva1fYlbakBcVSir))', $infected);
  33.         $cleared = $cleared[0];
  34.         // saving cleared data
  35.         $fp = fopen($row[0], "w");
  36.         fwrite($fp,$cleared);
  37.         fclose( $fp );
  38.         $x++;
  39.         }
  40.  
  41. }
  42. die(sizeof( $x ).' were fixed.');
  43. ?>
  44.  
  45. // Important To do, before running clean.php
  46. // Create file grep.out and chmod 777 this file.
  47. // Don`t forget to replace USER with your actual account user (the one you wish to clean)
  48. // This script was found over internet, it`s not my work, no copyright infregement here. I`ve just added "-o" grep option so the output would not add the infection to grep.out file, making it oversize and imposible to clean.
  49. // There will be some errors as the grep command will find this file too (didn`t know how to make an exception to it, but it`s not important, you could live with some minor errors).
  50. // WordPress, Joomla and other php-ers I hope this helps you as it did for me too.
RAW Paste Data
Want to get better at PHP?
Learn to code PHP in 2017
Pastebin PRO Summer Special!
Get 40% OFF on Pastebin PRO accounts!
Top