So I had one of my wordpress site infected. All php files were injected with bogus commands. For example, it looked like this…
So now what? I kind of panicked and deactivated all of my sites. Fortunately I could restore most of them because I had clean backups. For some I didn’t (probably the site which was hacked first).
The bogus all looks the same though, so it should be easy to clean this up right? When the panic was over I took some more time to get this job done on the console.
Eventually I came up with this command:
find ./ -name '*.php' -exec sed -i 's/<?php $am.*-1; ?>//' {} \;
I still don’t completely understand what’s going on, because when I try the regexp at regexr I should escape characters like ?. But well, this seems to work for this particular string. You can change it a bit to your needs. It should start with the very first characters of the bogus, $am in my case, then it uses .* to catch all characters in between, and then -1; is the end of the bogus string.
Maybe some day I may need more complex regular expressions, but for now I wanted to make sure that I documented this.
Update: As bob states rightfully in the comments; this is not a method to completely scan all of your PHP files on the server and find all backdoors. This is just a way to remove bogus code that you already identified. The signature changes with every hack, and also other techniques may have been used / planted to create a backdoor.
So this is not meant as a virus scanner command, but just a hint to show how simple injections could be removed.