Removing Nefarious Obfuscated php

Posted on Posted in Reminders to Self

This is mostly a reminder to myself:

There exists mechanisms for nefarious folks to inject obfuscated scripts into wordpress pages.

If this happens:

Search for injected scripts:
grep -lR “eval(base64_decode” *
(Look for the obfuscated code)

These script often don’t put new lines in the corrupted page so you’ll often have to be a bit careful about how to remove the script. Simply removing the nth line (where n is the evil code) can get you into trouble.

Fortunately, these are encapsulated php blocks, so we can be confident that removing a complete block should remove the bad code.

find . -name “*.php” | xargs grep -l “eval(base64_decode” | xargs sed -i.corrupted ‘1,1 s/<?php.*>//g’

(Find all the php files -> look to see if it has an obfuscated script -> make a backup and then replace any php complete blocks with nothing – but  only on the first line)

find . -type f -name “*.corrupted” -exec rm -f {} \;
(Remove the backup files)