Thursday, December 19, 2013

Remove PHP Malware Hack Exploit Injection

If all your PHP files have been injected on the first line with an exploit of some sort, you can use the follow FIND and SED commands to replace the entire first line with a normal PHP open tag:
find . -name '*.php' -exec sed -i '1 s/^<?php.*$/<?php/g' {} \;
Once completed, you should inspect your logs and upgrade your software to avoid future incidents.

If you are running this to clean up a Wordpress site, I recommend using this modified version which will skip the themes directory which should be processed manually (the above tends to be too greedy and will 'splode theme files):
find . -path ./wp-content/themes -prune -o -name '*.php' -exec sed -i '1 s/^<?php.*$/<?php/g' {} \;