Cleaning up files with eval(base64 Malware

Posted on by

This blog was recently infected with a eval(base64 malware. This kind of malware use site vulnerabilities to inject a long list of link in the beginning of pages so it theoretically improves those site’s SEO performance.

This kind of strategy is just sad, telling from the perspective of an SEO.

I came up with a nice oneliner to clear all that nasty code. Works great for me. May be useful for others.

find . -name "*.php" -print0 | \
xargs -0 -n 1 grep -l -Z eval.*base64 | \
xargs -0 -n 1 sed -i'.old' '/eval.*base64/ d'
  • http://www.facebook.com/mmarlett Mike Marlett

    Thanks … that was useful. A little too aggressive, but useful. I altered this slightly on the last bit; instead of ‘/eval.*base64/ d’ (which deletes the whole line that the eval(base64 line is on) I used ’s/eval.*base64_decode.*/ /’ which uses a regular expression to just replace the matching part. I had a problem with the bad code being on the same line as my real <?php tag, and your solution nuked everything. This leaves the <?php tag.

  • http://tekkie.flashbit.net/ Ain Tohvri

    Do you know what was the reason for such thing to happen? Was it URL exploit?

  • Michelangelo Turillo

    Hi thanks for the hint but I get a strange behaviour when I execute it. The “< ? php" has been deleted in each file. How have I to solve this problem? Look at http://paste.ubuntu.com/852334/ you can see BEFORE and AFTER the execution of your code.
    thanks!