Support » Fixing WordPress » Another request or sed help to remove Base64 infection

  • So last night our server was hit with an attack that infected every php file on the server and inserted the following code
    /*god_mode_on*/eval(base64_decode with a ton of other characters after.

    As it infected every php file i have been trying to clean it using a sed command to go through and remove the code from each file.

    I have been trying to run
    find . -name "*.php" -type f -exec sed -i '/eval(base64_decode(/d' {} \;

    This is workng except it is also removing the <?php from the start of files. Anyone know how to fix this or how I can run sed again to insert <php? back in at the start. Preference would be to not lose it in the first place though.

Viewing 14 replies - 1 through 14 (of 14 total)
Viewing 14 replies - 1 through 14 (of 14 total)
  • The topic ‘Another request or sed help to remove Base64 infection’ is closed to new replies.