How to clean up a base64_decode infected php website.

Posted by Steve (fidgetwith.com)
Article last updated: Aug 17, 2010

Apr 25

Geek hat on for this one. A friend had a problem with his website. He had noticed that it was not working properly. Scripts not running as they should and so on. I took a look.

On looking at his PHP scripts, the first line had been replaced with code like:

<?php /**/eval(base64_decode
('aWYoZnVuY3Rpb25fZXhpc3RzKCdX...

Looking further, every PHP script had been changed the same way. It seems one of the scripts he was using had a vulnerability in it. We had to clean up his scripts.

His site had hundreds of PHP scripts that needed cleaning. I had a look and found an easier way to do it, thanks to a bash script by Luis Esteban.

If you find yourself in the same situation, here is how to clean up your site.

MAKE SURE YOU BACK UP YOUR SITE BEFORE CONTINUING.

You need secure shell (SSH) access to your webspace. If you don’t have this, ask your webhost. If they won’t let you, sorry - this won’t work.
Shell into your webspace and get the name of one of the infected php files
Get the offending line of code so we can search all files for it. Enter (replacing infectedfile.php with the correct name):
```
head -1 infectedfile.php > yuck
```
Get a list of infected files and save it as “infectedfiles”:

find ./ -name '*.php' | while read FILE; do if grep 'eval(base64_decode' "$FILE"; then echo "$FILE" >> infectedfiles; else echo "$FILE" >> notinfected; fi ; done

Create a shell script with the following code, CHMOD to 744 and run it:

#!/bin/bash
#
#       remove-infection
# Script to remove the XYZ infection
#       from PHP files
#       Luis Esteban    8 December 2008
#
#
#    grep -Iir base64_decode *
#
cat infectedfiles | while read FILE
  do
        echo "Cleaning $FILE"
        FILEHEAD=`head -1 "$FILE"`
        YUCKHEAD=`head -1 yuck`
        if [ "$FILEHEAD" = "$YUCKHEAD" ]
          then
                echo "Infected, cleaning ..."
                tail -n+2 "$FILE" > "clean"
                                mv "clean" "$FILE"
                echo "$FILE" >> cleaned
          else
                echo "Not Infected"
                echo "$FILE" >> notcleaned
        fi
 done

Your site should now be clean.

MAKE SURE YOU CHECK ALL SCRIPTS NOW TO STOP IT HAPPENING AGAIN!

UPDATE:I’m sorry if you tried this script and it had errors. WordPress was doing some silly stuff with quotation marks. I’ve fixed it now.

Rate this:

Rating: 5.0/5 (1 vote cast)

Filed under: Computers

RSS feed for comments on this post
TrackBack URI
Short URL: http://fwith.com/817

2 Responses to “ How to clean up a base64_decode infected php website. ”

Craig on March 23rd, 2011 3:07 pm

Anyone trying this script: it may cause serious issues with your site. The basic premise is that it works on a very specific type of error. On mine, it slightly mangled the beginning of our script files [I believe] so they did not have an opening <?php call at the beginning, and hence the site did not load.

VA:F [1.9.16_1159]
please wait...
Rating: 5.0/5 (1 vote cast)
Steve (fidgetwith.com) on March 23rd, 2011 7:16 pm

Good advice and it should really only be used as a bulk cleaner for people that know what they are doing and ALWAYS BACK UP FIRST!

The script could be fairly easily tweaked to check for
VN:F [1.9.16_1159]
please wait...
Rating: 0.0/5 (0 votes cast)

M	T	W	T	F	S	S
				May »
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30

How to clean up a base64_decode infected php website.

Latest posts

Categories

Facebook

Pages

Related external links

Archives

Jump to a date

Meta

Tags

External links

Shop for
Department
Sort by