Support » Plugins » Hacks » First line of all PHP files modified hack – solution

  • Hi,

    I am not sure how to block this hack, but as a workaround
    I wrote a solution which would restore your files even if you dont have any backup,
    the below script catches all infected php files on your server, backup them (with it original path),restoring them into it orig state, and also write a summary file with the result
    It works great for me (about 21000~ php files scanned and fix in 7min)
    In order to use it copy the below code into file on your home directory
    name the file php_fix.sh
    make it executable by typing
    chmod +x php_fix.sh
    and run it:
    ./php_fix.sh y

    You may consider add it to your crontab job to run automatically every day.

    enjoy

    #!/bin/bash
    
    infected_files=0
    fixed_files=0
    DATE=date +"%d-%m-%y %T"
    find . -name "*.php" |grep -v 2fix > php_files.dat
    
    php_files=cat php_files.dat |wc -l
    
    if [ ! ls 2fix ]
    then
    mkdir 2fix
    fi
    
    while read file_name
    do
    if [[ head -1 $file_name |grep GLOBALS ]]
    then
    if [[ $1 == "y" ]]
    then
    fixed_string=head -1 $file_name |grep GLOBALS | awk -F"?>" '{print $3}'
    cp --parents $file_name 2fix/
    sed -i "1s/.*/$fixed_string/" $file_name
    #sed -i "1s/.*/\<\?php/" $file_name
    #sed -i '1d' $file_namea
    let fixed_files=$fixed_files+1
    else
    let infected_files=$infected_files+1
    fi
    fi
    done < php_files.dat
    echo $DATE, "Scannded files:" $php_files, "Fixed files:" $fixed_files, "Infected: " $infected_files >> fixed_files.dat
    exit
Viewing 3 replies - 1 through 3 (of 3 total)
Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘First line of all PHP files modified hack – solution’ is closed to new replies.