bahgheera Posted June 28, 2010 Share Posted June 28, 2010 Hi folks, a question. My website got hacked with a base64 eval added as the first line of every php file on the server. So I'm working on a script that will fix it. I want to know if I'm going at this logically. The flow of the script is like this - find all the php files, check to see if the first line contains the attack string. If it does, we load up the file, reverse it, pop off the last line, reverse it again, and write it back to disk. This was the only way I could figure out to remove the first line, without doing some array magic and reading in the entire file. Also, my main problem is that I think I'm creating an endless loop with the directory recursion routine. When I run the thing my website goes down for up to half an hour. Also, when it doesn't crash the server, it doesn't identify the files with the attack string. Would someone mind looking at it and try to figure out 1) where the endless loop is, and 2) why the check_file function isn't working? I'd greatly appreciate it. BTW, I didn't write the directory recursion part, but I can't remember where I got it. This script worked before on a different server. [attachment deleted by admin] Link to comment https://forums.phpfreaks.com/topic/206029-am-i-doing-this-right/ Share on other sites More sharing options...
kenrbnsn Posted June 28, 2010 Share Posted June 28, 2010 It would be much easier to restore your files from a backup. You do have a backup, don't you? You also have to figure out how the hackers got in and close that hole before fixing anything or they will corrupt your files again. Ken Link to comment https://forums.phpfreaks.com/topic/206029-am-i-doing-this-right/#findComment-1078056 Share on other sites More sharing options...
bahgheera Posted June 28, 2010 Author Share Posted June 28, 2010 Yes, I have a backup but it's about a week old. I know, I know! One thing I want to find out is how do I figure out how they got in? It's the second time this website has suffered the same attack. I did a lot of research on google the first time this happened, and found tons of info about what the attack is, what it does, etc. But I couldn't find anything that explains how you would go about finding where it came from. I know there's an input box somewhere on the site that is unprotected, but who the heck knows where that would be??? We have SMF running, and the site owner has a couple more websites on the same server as well. Any ideas how to track down that input would be GREATLY appreciated. Link to comment https://forums.phpfreaks.com/topic/206029-am-i-doing-this-right/#findComment-1078323 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.