PHP Script to Find and Replace eval(base64 exploit. Easy Fix by searching and replacing

The eval(base64_decode malicious script is becoming a pain. Easiest way to keep this script out is by adding a few rewrite rules to your .htaccess file. If you are hit by this exploit, you will have several hundred files ( actually each .php file for sure any maybe some other extensions too) with malicious code.

If you have shell access you can easily replace the malicious code using sed command with regexp , but what if you don’t. Most of the time, your hosting service provider won’t let you have a shell access, and then there are people like me who don’t understand regexp and are not good with programming. We just need a script that can find and replace a text much like ms word or dreamweaver, but running on the server.

Here is a quick php code to help you patch all the files easily. I picked the recursive directory listing code from here and added a regular expression search, followed by backup and replacement of malicious code.

Now, I am not a programmer, so I am sure it can be improved upon. It’s a very very crude script, put together by searching for various commands,but it works.

I am sure all the expert users already have access to shell, but this file is for those who want a php that they can put in their server and run to clean.

To use this script

1. Save it in a php file.

2. Put the php file in the root of the directory you wish to scan and run it by accessing it in a webbrowser.

3.  Let the script run and look at the detailed report on each file scanned

The script does a regular expression search for anything that starts with eval(base64_decode and ends with ;.

If it finds a result, it save a copy of file it thinks is infected as .evbk and removes the code from original file. There are many times you may have a legitimate base_64 encoding in your code.  The script would remove all such codes.

If something goes wrong, you can always go back to your original file by renaming your .evbk file. If you run the file again, it won’t search for code in .evbk files again.

$file)
{
$string= file_get_contents($file);
$content = preg_replace($pattern, $replacestring, $string,-1,$count);
$infected=$infected+$count;
$filecount++;
echo "".$file."".' had '.$count.' Infection(s)';
$isbackupfile=preg_match('/evbk$/', $file) ; // evbk is our backups.
if ($count >0 and !$isbackupfile)
{
$newfile= $file.".evbk";
if (!copy($file, $newfile)) { echo " failed to backup";} else {echo " Backedup"; $filesbackedup++;}
$replaced=file_put_contents($file,$content);
if (!$replaced===FALSE) {echo "...Repaired
"; $filesrepaired++;}
else {echo "Failed to Repair
";}
}
else { echo "...not repairing
";}
}
echo "

Scanning Report

" ;
echo " I searched your files for any occurances of evalbase64 code and found this

";
echo "Total Number of Files Scanned : ".$filecount."
" ;
echo "Number of Files infected : ".$infected."
";
echo "Number of Files Repaired : ".$filesrepaired."
";
echo "Number of Files Backedup : ".$filesbackedup."

";
echo "Original ( possibly infected) versions of files we repaired are backedup as .evbk files in the same directory. You can always rename them back, if you see something is broken. ";

?>


3 Comments

  1. ” Easiest way to keep this script out is by adding a few rewrite rules to your .htaccess file. ”

    Which rules do you use ? Can you share your .htaccess ?

    1. I use settings in Joomla 2.5 .htaccess. They have specified a few rules to block common exploits.

      RewriteEngine On
      ## Deny access to extension xml files (uncomment out to activate)
      #
      #Order allow,deny
      #Deny from all
      #Satisfy all
      #

      ## End of deny access to extension xml files
      RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
      # Block out any script trying to base64_encode crap to send via URL
      RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
      # Block out any script that includes a

Comments are closed.