Jump to content

Recommended Posts

I want to remove first line of infected php files, but i want to keep <?php

I'd attached 2 files one with the infected file to see the first line, and one with a script that eliminates the first line, but i don't know how to keep the <?php... :(

 

a.php is the script for cleaning

update_cron.php

a.php

Link to comment
https://forums.phpfreaks.com/topic/287489-please-help-removing-first-line-of-php/
Share on other sites

If it is the very first line of any file you want to replace with just a <?php then use

$lines = file('path/to/file.php', FILE_IGNORE_NEW_LINES); // open the file and omit new lines from end of each line, each line will be feed into an array

$lines[0] = "<?php"; // Set the very first line to a <?php tag

file_put_contents('path/to/file.php', implode(PHP_EOL, $lines)); // implode the array, add in the newlines and write the contents back to the file
Edited by Ch0cu3r

these is my function, and i put the code for new line but it dosen't work

function fix_files( $files ) {
	global $hack_str;
	foreach ( $files as $file ) {
		if ( is_array($file) ) {
			fix_files($file);
		}
		else { 
			$contents = explode("\n", file_get_contents($file));
			unset($contents[0]);
			$f = fopen($file, 'w');
			if ( $f ) {
				$the_content = implode($contents, "\n");
				$the_content = preg_replace('/^\\s/', '<?php', $the_content); // remove any leading whitespace.
				$lines[0] = "<?php"; // Set the first line to a <?php tag
				fwrite($f, $the_content, strlen($the_content));
				fclose($f);
				echo "Removed first line containing <code>" .  htmlentities($hack_str) ."</code>from $file...<br />";
			}
		} 
	}
}

You need to replace the code in the else statement with my three lines of code, something like

function fix_files( $files ) {
    global $hack_str;
    foreach ( $files as $file ) {
        if ( is_array($file) ) {
            fix_files($file);
        }
        else { 
            $lines = file($file, FILE_IGNORE_NEW_LINES);
            $lines[0] = "<?php"; // Set the first line to a <?php tag
            file_put_contents($file, implode(PHP_EOL, $lines));
            echo "Removed first line containing <code>" .  htmlentities($hack_str) ."</code>from $file...<br />";
            }
        } 
    }
}
Edited by Ch0cu3r

it's ok but overides my firs line

 

these is the way i test it:

function fix_files( $files ) {
	global $hack_str;
	foreach ( $files as $file ) {
		if ( is_array($file) ) {
			fix_files($file);
		}
		else { 
			$contents = explode("\n", file_get_contents($file));
			unset($contents[0]);
			$f = fopen($file, 'w');
			if ( $f ) {
				$the_content = implode($contents, "\n");
				$the_content = preg_replace('/^\\s/', '<?php', $the_content); // remove any leading whitespace.
				fwrite($f, $the_content, strlen($the_content));
				fclose($f);
				$lines = file($file, FILE_IGNORE_NEW_LINES);
            			$lines[0] = "<?php"; // Set the first line to a <?php tag
            			file_put_contents($file, implode(PHP_EOL, $lines));
				echo "Removed first line containing <code>" .  htmlentities($hack_str) ."</code>from $file...<br />";
			}
		} 
	}
}

because i need to search many files to delete the code and put <?php, because i want just in the infected files to make these change

Edited by alexwtz

 

 

it's ok but overides my firs line

I dont understand? You have files which have code like this as the very first line (shortened for readability)

<?php /*versio:3.02*/ $GLOBALS["ktrmpz"]="PaUlQzT...iIpKSk7at";        if (!function_exists('tjjluyoc')){function tjjluyoc($a, $b){$c=$GLOBALS['ktrmpz'];$d=pack('H*','626173653634'.'5f6465636f6465'); return $d(substr($c, $a, $b));};eval(tjjluyoc(561,3272));};?><?php

and you want to remove it. My code replaces that code in the first line with a <?php. It is not meant to be used with your existing code! That is why I said to replace your code in the else statement with my code!

Edited by Ch0cu3r

yes i have many infected php files and i want to clean the infected code.. the script a.php makes the search and deletes the line. but i need to insert a new line with <?php or replace the code line. in a.php at line 79 is the fix code, there i need a function that after the code delets the malware to insert or replace with <?php

 

the steps ar to search and then to change, because not all files are infected.

Edited by alexwtz
  • Solution

I have downloaded your a.php replaced your fix_files function with the code in my post here (although there was an error due to too many } in my code).

 

Then created a few test files, some with the infected code and some without. I then ran a.php and it removed the malicious code from the infected files.

 

So what is the issue now? I have attached the modified a.php here.

a.php

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.