Eh?
On 16/09/14 21:29, Simon Greenwood wrote:
On 16 September 2014 21:08, Gareth France <[email protected]
<mailto:[email protected]>> wrote:
Not ubuntu related but I'm hoping someone may have the answer I
need. Today I discovered my webspace has been hacked and several
sites now contain additional code at the start of every single PHP
file. Looking at my backups I can see it has been there for a
while so restoring from a very old backup could cause me issues.
Is there some way I could do a recursive find and delete on that
code? It is a very long single line including slashes, hashes,
exclaimation marks etc so using sed would be difficult as the
examples I have seen show /thing to change/thing to change to/.
Any ideas very welcome.
find . -name "*.php" -exec grep -e "(string)" {} \;
from your document root will find the string A guess would be that the
added code is actually base64 so there will be an eval() or base64()
at the start of it. You should also be able to use just a fragment of
the string.
Look at what egrep or grep -e can do to return the actual injected
code and you could then pass that to sed using xargs and delete it,
but the simple truth is that it's going to be a bind. You also have to
identify where the injection was and get rid of it or it will just
happen again.
s/
--
Twitter: @sfgreenwood
"TBA are particularly glib"
--
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.ubuntu.com/UKTeam/
