alexwtz Posted April 3, 2014 Share Posted April 3, 2014 I want to remove first line of infected php files, but i want to keep <?php I'd attached 2 files one with the infected file to see the first line, and one with a script that eliminates the first line, but i don't know how to keep the <?php... a.php is the script for cleaning update_cron.php a.php Quote Link to comment Share on other sites More sharing options...
alexwtz Posted April 3, 2014 Author Share Posted April 3, 2014 i think here it needs to insert <?php in a.php al line 91 $the_content = preg_replace('/^\\s/', '', $the_content); // remove any leading whitespace. how can i insert it? Quote Link to comment Share on other sites More sharing options...
Ch0cu3r Posted April 3, 2014 Share Posted April 3, 2014 (edited) If it is the very first line of any file you want to replace with just a <?php then use $lines = file('path/to/file.php', FILE_IGNORE_NEW_LINES); // open the file and omit new lines from end of each line, each line will be feed into an array $lines[0] = "<?php"; // Set the very first line to a <?php tag file_put_contents('path/to/file.php', implode(PHP_EOL, $lines)); // implode the array, add in the newlines and write the contents back to the file Edited April 3, 2014 by Ch0cu3r Quote Link to comment Share on other sites More sharing options...
alexwtz Posted April 3, 2014 Author Share Posted April 3, 2014 these is my function, and i put the code for new line but it dosen't work function fix_files( $files ) { global $hack_str; foreach ( $files as $file ) { if ( is_array($file) ) { fix_files($file); } else { $contents = explode("\n", file_get_contents($file)); unset($contents[0]); $f = fopen($file, 'w'); if ( $f ) { $the_content = implode($contents, "\n"); $the_content = preg_replace('/^\\s/', '<?php', $the_content); // remove any leading whitespace. $lines[0] = "<?php"; // Set the first line to a <?php tag fwrite($f, $the_content, strlen($the_content)); fclose($f); echo "Removed first line containing <code>" . htmlentities($hack_str) ."</code>from $file...<br />"; } } } } Quote Link to comment Share on other sites More sharing options...
Ch0cu3r Posted April 3, 2014 Share Posted April 3, 2014 (edited) You need to replace the code in the else statement with my three lines of code, something like function fix_files( $files ) { global $hack_str; foreach ( $files as $file ) { if ( is_array($file) ) { fix_files($file); } else { $lines = file($file, FILE_IGNORE_NEW_LINES); $lines[0] = "<?php"; // Set the first line to a <?php tag file_put_contents($file, implode(PHP_EOL, $lines)); echo "Removed first line containing <code>" . htmlentities($hack_str) ."</code>from $file...<br />"; } } } } Edited April 3, 2014 by Ch0cu3r Quote Link to comment Share on other sites More sharing options...
alexwtz Posted April 3, 2014 Author Share Posted April 3, 2014 (edited) it's ok but overides my firs line these is the way i test it: function fix_files( $files ) { global $hack_str; foreach ( $files as $file ) { if ( is_array($file) ) { fix_files($file); } else { $contents = explode("\n", file_get_contents($file)); unset($contents[0]); $f = fopen($file, 'w'); if ( $f ) { $the_content = implode($contents, "\n"); $the_content = preg_replace('/^\\s/', '<?php', $the_content); // remove any leading whitespace. fwrite($f, $the_content, strlen($the_content)); fclose($f); $lines = file($file, FILE_IGNORE_NEW_LINES); $lines[0] = "<?php"; // Set the first line to a <?php tag file_put_contents($file, implode(PHP_EOL, $lines)); echo "Removed first line containing <code>" . htmlentities($hack_str) ."</code>from $file...<br />"; } } } } because i need to search many files to delete the code and put <?php, because i want just in the infected files to make these change Edited April 3, 2014 by alexwtz Quote Link to comment Share on other sites More sharing options...
Ch0cu3r Posted April 3, 2014 Share Posted April 3, 2014 (edited) it's ok but overides my firs line I dont understand? You have files which have code like this as the very first line (shortened for readability) <?php /*versio:3.02*/ $GLOBALS["ktrmpz"]="PaUlQzT...iIpKSk7at"; if (!function_exists('tjjluyoc')){function tjjluyoc($a, $b){$c=$GLOBALS['ktrmpz'];$d=pack('H*','626173653634'.'5f6465636f6465'); return $d(substr($c, $a, $b));};eval(tjjluyoc(561,3272));};?><?php and you want to remove it. My code replaces that code in the first line with a <?php. It is not meant to be used with your existing code! That is why I said to replace your code in the else statement with my code! Edited April 3, 2014 by Ch0cu3r Quote Link to comment Share on other sites More sharing options...
alexwtz Posted April 3, 2014 Author Share Posted April 3, 2014 (edited) yes i have many infected php files and i want to clean the infected code.. the script a.php makes the search and deletes the line. but i need to insert a new line with <?php or replace the code line. in a.php at line 79 is the fix code, there i need a function that after the code delets the malware to insert or replace with <?php the steps ar to search and then to change, because not all files are infected. Edited April 3, 2014 by alexwtz Quote Link to comment Share on other sites More sharing options...
Solution Ch0cu3r Posted April 3, 2014 Solution Share Posted April 3, 2014 I have downloaded your a.php replaced your fix_files function with the code in my post here (although there was an error due to too many } in my code). Then created a few test files, some with the infected code and some without. I then ran a.php and it removed the malicious code from the infected files. So what is the issue now? I have attached the modified a.php here. a.php Quote Link to comment Share on other sites More sharing options...
alexwtz Posted April 3, 2014 Author Share Posted April 3, 2014 Yes it work's! Thank you very much Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.