Clean infected PHP files with sed on linux console

So I had one of my wordpress site infected. All php files were injected with bogus commands. For example, it looked like this

Infected PHP

So now what? I kind of panicked and deactivated all of my sites. Fortunately I could restore most of them because I had clean backups. For some I didn’t (probably the site which was hacked first).

The bogus all looks the same though, so it should be easy to clean this up right? When the panic was over I took some more time to get this job done on the console.

Eventually I came up with this command:

find ./ -name '*.php' -exec sed -i 's/<?php $am.*-1; ?>//' {} \;

I still don’t completely understand what’s going on, because when I try the regexp at regexr I should escape characters like ?. But well, this seems to work for this particular string. You can change it a bit to your needs. It should start with the very first characters of the bogus, $am in my case, then it uses .* to catch all characters in between, and then -1; is the end of the bogus string.

Maybe some day I may need more complex regular expressions, but for now I wanted to make sure that I documented this.

Update: As bob states rightfully in the comments; this is not a method to completely scan all of your PHP files on the server and find all backdoors. This is just a way to remove bogus code that you already identified. The signature changes with every hack, and also other techniques may have been used / planted to create a backdoor.

So this is not meant as a virus scanner command, but just a hint to show how simple injections could be removed.

2 thoughts on “Clean infected PHP files with sed on linux console

  1. This is bad advice.

    It’s probably not what you want to hear, but most (fully automated) hack / deface script services are not as easily fooled. Not all backdoors will have the same signature. This will not fix the _original_ vulnarability that was used to gain access, and you can be certain that they’ve “planted” some more backdoors on less easy to find locations on the system.

    The _only_ way to “fix” this is to wipe the system, and re-install from scratch, if you do not have a backup. If you do not do this, you are fooling yourself into a false sense of security.

    • This post wasn’t meant as a “fix” to clean all of your files (although I understand I might have given this impression). It was just meant to save myself (and maybe others) time in the future how you can clean multiple files that _do_ have the same signature. For example, I restored one of the affected sites by installing a clean wordpress, and then use this sed command to clean my theme. I checked all the php files in the theme afterwards. This is much easier to do (e.g. by using head or something like that) than to edit all files by hand.

      So I agree that this isn’t a solution to scan your whole server for all infected files. I’ll adjust the post a bit to point this out.

Leave a Reply

Your email address will not be published. Required fields are marked *