alexwtz Posted April 3, 2014 Share Posted April 3, 2014 I want to remove first line of infected php files, but i want to keep <?php I'd attached 2 files one with the infected file to see the first line, and one with a script that eliminates the first line, but i don't know how to keep the <?php... a.php is the script for cleaning update_cron.php a.php Link to comment https://forums.phpfreaks.com/topic/287489-please-help-removing-first-line-of-php/ Share on other sites More sharing options...
alexwtz Posted April 3, 2014 Author Share Posted April 3, 2014 i think here it needs to insert <?php in a.php al line 91 $the_content = preg_replace('/^\\s/', '', $the_content); // remove any leading whitespace. how can i insert it? Link to comment https://forums.phpfreaks.com/topic/287489-please-help-removing-first-line-of-php/#findComment-1474782 Share on other sites More sharing options...
Ch0cu3r Posted April 3, 2014 Share Posted April 3, 2014 If it is the very first line of any file you want to replace with just a <?php then use $lines = file('path/to/file.php', FILE_IGNORE_NEW_LINES); // open the file and omit new lines from end of each line, each line will be feed into an array $lines[0] = "<?php"; // Set the very first line to a <?php tag file_put_contents('path/to/file.php', implode(PHP_EOL, $lines)); // implode the array, add in the newlines and write the contents back to the file Link to comment https://forums.phpfreaks.com/topic/287489-please-help-removing-first-line-of-php/#findComment-1474783 Share on other sites More sharing options...
alexwtz Posted April 3, 2014 Author Share Posted April 3, 2014 these is my function, and i put the code for new line but it dosen't work function fix_files( $files ) { global $hack_str; foreach ( $files as $file ) { if ( is_array($file) ) { fix_files($file); } else { $contents = explode("\n", file_get_contents($file)); unset($contents[0]); $f = fopen($file, 'w'); if ( $f ) { $the_content = implode($contents, "\n"); $the_content = preg_replace('/^\\s/', '<?php', $the_content); // remove any leading whitespace. $lines[0] = "<?php"; // Set the first line to a <?php tag fwrite($f, $the_content, strlen($the_content)); fclose($f); echo "Removed first line containing <code>" . htmlentities($hack_str) ."</code>from $file...<br />"; } } } } Link to comment https://forums.phpfreaks.com/topic/287489-please-help-removing-first-line-of-php/#findComment-1474785 Share on other sites More sharing options...
Ch0cu3r Posted April 3, 2014 Share Posted April 3, 2014 You need to replace the code in the else statement with my three lines of code, something like function fix_files( $files ) { global $hack_str; foreach ( $files as $file ) { if ( is_array($file) ) { fix_files($file); } else { $lines = file($file, FILE_IGNORE_NEW_LINES); $lines[0] = "<?php"; // Set the first line to a <?php tag file_put_contents($file, implode(PHP_EOL, $lines)); echo "Removed first line containing <code>" . htmlentities($hack_str) ."</code>from $file...<br />"; } } } } Link to comment https://forums.phpfreaks.com/topic/287489-please-help-removing-first-line-of-php/#findComment-1474786 Share on other sites More sharing options...
alexwtz Posted April 3, 2014 Author Share Posted April 3, 2014 it's ok but overides my firs line these is the way i test it: function fix_files( $files ) { global $hack_str; foreach ( $files as $file ) { if ( is_array($file) ) { fix_files($file); } else { $contents = explode("\n", file_get_contents($file)); unset($contents[0]); $f = fopen($file, 'w'); if ( $f ) { $the_content = implode($contents, "\n"); $the_content = preg_replace('/^\\s/', '<?php', $the_content); // remove any leading whitespace. fwrite($f, $the_content, strlen($the_content)); fclose($f); $lines = file($file, FILE_IGNORE_NEW_LINES); $lines[0] = "<?php"; // Set the first line to a <?php tag file_put_contents($file, implode(PHP_EOL, $lines)); echo "Removed first line containing <code>" . htmlentities($hack_str) ."</code>from $file...<br />"; } } } } because i need to search many files to delete the code and put <?php, because i want just in the infected files to make these change Link to comment https://forums.phpfreaks.com/topic/287489-please-help-removing-first-line-of-php/#findComment-1474790 Share on other sites More sharing options...
Ch0cu3r Posted April 3, 2014 Share Posted April 3, 2014 it's ok but overides my firs line I dont understand? You have files which have code like this as the very first line (shortened for readability) <?php /*versio:3.02*/ $GLOBALS["ktrmpz"]="PaUlQzT...iIpKSk7at"; if (!function_exists('tjjluyoc')){function tjjluyoc($a, $b){$c=$GLOBALS['ktrmpz'];$d=pack('H*','626173653634'.'5f6465636f6465'); return $d(substr($c, $a, $b));};eval(tjjluyoc(561,3272));};?><?php and you want to remove it. My code replaces that code in the first line with a <?php. It is not meant to be used with your existing code! That is why I said to replace your code in the else statement with my code! Link to comment https://forums.phpfreaks.com/topic/287489-please-help-removing-first-line-of-php/#findComment-1474792 Share on other sites More sharing options...
alexwtz Posted April 3, 2014 Author Share Posted April 3, 2014 yes i have many infected php files and i want to clean the infected code.. the script a.php makes the search and deletes the line. but i need to insert a new line with <?php or replace the code line. in a.php at line 79 is the fix code, there i need a function that after the code delets the malware to insert or replace with <?php the steps ar to search and then to change, because not all files are infected. Link to comment https://forums.phpfreaks.com/topic/287489-please-help-removing-first-line-of-php/#findComment-1474794 Share on other sites More sharing options...
Ch0cu3r Posted April 3, 2014 Share Posted April 3, 2014 I have downloaded your a.php replaced your fix_files function with the code in my post here (although there was an error due to too many } in my code). Then created a few test files, some with the infected code and some without. I then ran a.php and it removed the malicious code from the infected files. So what is the issue now? I have attached the modified a.php here. a.php Link to comment https://forums.phpfreaks.com/topic/287489-please-help-removing-first-line-of-php/#findComment-1474796 Share on other sites More sharing options...
alexwtz Posted April 3, 2014 Author Share Posted April 3, 2014 Yes it work's! Thank you very much Link to comment https://forums.phpfreaks.com/topic/287489-please-help-removing-first-line-of-php/#findComment-1474799 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.