Linux terminal command to clean a base64_decode hack?

MuGeN · 29 Jan 2014 at 09:19

We have had 3 sites hacked, they are all the **base64** encode hack that looks like this:

Code:

eval(base64_decode("CmVycm9yX3JlcG9ydGluZygwKTsKJHFhenBsbT1oZWFkZ.........")

Is there a command similar to this one:

Code:

$ find . -name "*.php" -print | xargs sed -i 's@eval(base64_decode("CmVycm9yX3Jlc........")

That I can use but which uses Regex to find and replace the entire string based on the starting characters? The reason I ask is because every instance of the injection starts the same but concludes in different ways, so I'd like a way to attack all of them at once.

Any ideas?

two00lbwaster · 30 Jan 2014 at 21:34

sed has an option to continue to the end of the line .* I think.

MuGeN · 2 Feb 2014 at 14:10

naah it needs to match the regex because valid code may very well follow the nasty stuff...

Surprisingly hard to find out this stuff!

Phantom Shadow · 2 Feb 2014 at 15:40

It doesn't have to run all the way to the end of the line, I've just tried the following command and it removed the eval() bit but left everything else on the line.

Code:

find . -name "*.php" -print | xargs sed -i 's@eval(base64_decode("CmVycm9yX3Jlc.*")@@g'