A PHP Script to automatically clean files affected by the the eval(gzinflate(base64_decode…) hack

In late April, my server got hacked. Most of my php files had code that looked like this placed at the top:

eval(gzinflate(base64_decode('DZZFssRYokOX... long string of gzipped-base64-encoded php code);

I’m not sure how the bad guys got in, but I changed all my passwords and updated all the software on the server. Then, like any obsessive programmer, I set forth making a script to clean up the mess programatically. My solution was a two-step process. I used GNU find command to find all my php scripts with the code “eval(gzinflate” in them. I chose to search by this code because I can’t think of too many legitimate reasons to do this, and it matched all the infections I found manually. The full command I used for this was:

find /full/path/to/public_html -name "*.php" -exec grep -li "eval(gzinflate" {} \;

This command finds all php files then uses grep to look inside each file for “eval(gzinflate”.

I copied the results of this command to a text file called fullInfected.txt .

After I had a list of infected files, I wrote a php script that’ll go through each file on the list, do a search, and remove all lines with the infected code in it. I saved the script in the same directory as my fullInfected.txt file. You can get that file (with a few sample supporting files) here: CleanEvalBase64_decodeHack script.

There are two variables that can be set at the top of the file: One for the name of the file with the list of infected files in it ($listOfFiles) and another for the text to search for ($findWhat). I uploaded the script to the server and ran it via SSH:

php clean.php

When the script runs, it will log a list of which files were cleaned.

This script is released as-is, with no implied warranty whatsoever under the Creative Commons Attribution-ShareAlike 3.0 Unported License. Make a backup of your server before using this and test this very thoroughly on a small sample of infected files.

I’m sure there’s more efficient ways to do with with shell commands and/or regex, but I didn’t know how to do it that way. Good luck getting cleaned up!

4 Comments

Tyrone

Sorry for the stupid question, but my programming skills are far below average. How can I modify your PHP code to only search for the text specific text string instead of requiring the “fullinfected.txt”?

I want to search each file (.php .htm .html .txt) for any strings containing eval(base64_decode(‘ZXJ
Then have that deleted (all the way to the end of the code line) in each file.

Any help would be appreciated.

Trav

You could run the find command using the PHP exec() function and iterate over the results. See the php manual entry for exec. This can be problematic depending on the security settings on your server. Many hosts now disable exec (or at least severely limit it) so that find may not be allowable.

I coded this script using the infectedfile.txt method because I wanted to go through the list of possibly infected files by hand and see if any of them actually needed to use gzinflate. There weren’t any, but still, I wanted to make sure.

Haydz

Hi Jerry,

Found your website in a general search for further information on this exact topic.
A few of our cpanel servers were recently hacked in a very similar manner to this.

First of all, a suggestion – log the files, but *manually* check them. Some developers use this to obfuscate code in order to prevent code theft. You could potentially be deleting somebody’s shop code.

Secondly, I’ve written a (rather complex) perl program that will perform searches for “eval(base64_decode”, “eval(gzinflate” and urlencoded data. For the plaintext and the latter urlencoded data it will also search for some basic strings like ‘hacker’, ‘hacked’ and ‘haxor’ (including number substitutions.), email a list of all discovered sites to the administrator’s email address, and allow you to whitelist them as well.
If you’d like a copy (perhaps to use yourself, or to host here), let me know and I’ll shoot one off to you.

The script I’m referring to is tailored to cpanel hosts (IE: It knows to look in /home/*/public_html for infected files, and to check the against /etc/valiases/* file owners for the domain), but could easily be changed to suit other applications.

under

Hello,

I have all my files infected with 2 lines of code. and so I tried your way.

so far, it s not bad at all, it removes the code. Problem: the malicious code was injected right after the <?php so it also get removed..

Any way to remove those line with exception of the <?php ? Because as you guess, the site is now completely broken

thanks

Leave a Reply

Your email address will not be published. Required fields are marked *