Hi folks, a question. My website got hacked with a base64 eval added as the first line of every php file on the server. So I'm working on a script that will fix it. I want to know if I'm going at this logically. The flow of the script is like this - find all the php files, check to see if the first line contains the attack string. If it does, we load up the file, reverse it, pop off the last line, reverse it again, and write it back to disk. This was the only way I could figure out to remove the first line, without doing some array magic and reading in the entire file.
Also, my main problem is that I think I'm creating an endless loop with the directory recursion routine. When I run the thing my website goes down for up to half an hour. Also, when it doesn't crash the server, it doesn't identify the files with the attack string. Would someone mind looking at it and try to figure out 1) where the endless loop is, and 2) why the check_file function isn't working? I'd greatly appreciate it.
BTW, I didn't write the directory recursion part, but I can't remember where I got it. This script worked before on a different server.
[attachment deleted by admin]