Need help in adding missing tag in php pages

netatma · November 21, 2015, 5:50pm

hi,
I am still a newbie on ssh but trying hard.
my friends website was hit by some virus which included a long encrypted malware code on each and every php file she had.

I was able to use sed command via ssh to remove the malware codes but now most pages don't have a opening <?php tag.

i made a copy of pages and tried many options but some or most files are not getting <?php at the start of the *.php page.
sed command i used removed the malware matching string but didn't left any space on start of files.

Can someone please help me with this.

many thanks for your time.

Aia · November 22, 2015, 12:17am

Please, try:

perl -i -npe '$_="<?php\n$_" if $. == 1 and not /^<\?php/; $.=0 if eof' *.php

It will convert a php file content from this:

echo readfile("webdictionary.txt");
?>

to this:

<?php
echo readfile("webdictionary.txt");
?>

RudiC · November 22, 2015, 2:30am

You may want to share your sed script to identify where the <?php lead in was removed.

A sed solution for your problem:

sed '1 {/<?php/b;s/^/<?php/}' file >TMP  && mv TMP file

netatma · November 22, 2015, 1:04pm

Thanks Aia & RudiC

RudiC your code says
sed: can't read file: No such file or directory

showing 2 screenshots

the malware code I removed using sed
find . -name "*.php" -exec sed -i '/isset/d' {} \;

but after removal <?php tag got missing
below is start of processed page after sed

earlier it was

RudiC · November 22, 2015, 1:13pm

Replace "file" with your actual file name (which you did not provide!).

netatma · November 22, 2015, 1:28pm

Thanks again

there are 200+ files in each folder

anything which does this in folder tree or global inside /home/user

---------- Post updated at 11:55 PM ---------- Previous update was at 11:50 PM ----------

aia:

Please, try:

perl -i -npe '$_="<?php\n$_" if $. == 1 and not /^<\?php/; $.=0 if eof' *.php

It will convert a php file content from this:

echo readfile("webdictionary.txt");
?>

to this:

<?php
echo readfile("webdictionary.txt");
?>

works like a charm Thanks :D;)
but haven't checked it thoroughly

As all the backup my friend has is also infected with malware copy, she cannot afford to loose the only working copy online.

I am going to test this for next few hours before i run it on LIVE server.

---------- Post updated at 11:58 PM ---------- Previous update was at 11:55 PM ----------

RudiC: can you please share your expertise and tell why this code didn't worked like it was supposed to be

grep -Lr --include=*.php "<?php" /home/path/ | xargs sed -i "1s/^/<?php \n/"

Aia · November 22, 2015, 2:31pm

That would delete any lines, regardless of how long, that contains the string insset in its content, and it would do it in the input file. Since <?php is part of that line it will disappear.
The following would had done what it appears you wanted, leaving a <?php intact.

sed -i '/isset/c\<?php'

Of course, if there are other lines in the middle of the file with the string isset, it would replace it with <?php which might not be what you want.
Another way would be to find more about the isset block and craft an appropriate regex. Using your example:

sed -i 's/if(!isset.*$//'

RudiC · November 22, 2015, 2:44pm

Love to - if you tell me how you supposed it to work and what it really did.

---------- Post updated at 20:44 ---------- Previous update was at 20:43 ----------

... optimally backed by sample data ...

netatma · November 23, 2015, 2:08pm

I am newbie, but someone who was suggesting me a way to include it in all pages, suggest that

I would be happily get enlightened if you can tell whats wrong in it and how would you do it with perl for all folder under.