Was your website hacked and malicious code included in your files? If that is so, then you certainly would like to remove it and clean it. You can pay someone to do that work for you, but if you would like to perform it yourself, then this article might be of help and show you how to identify and remove the code.
We’ll assume that you do have SSH access to your hosting account / server (if it is a Linux/Unix box), but if you do not have such access, you might want to setup a development environment on your local machine running a Linux vurtual box, as described in another post on this website and then copy your files to that environment.
First, we will need to identify the infected files. The easiest way to narrow down our search is to find which files were modified in the past few days (or the time frame from which you know the website was working). To do so, navigate under your website main folder and execute the following command (using SSH):
find . -mtime -5This will list all files which were modified in the last 5 days. Open one of the files and look for a suspicious line including either the word eval() or base64_decode(), gz_inflate() or any combination of those. A recent attempt to hack this website had the following lines attached to a file:
$rhs=”jY3RCkAwFIbvlWpjt1rxAmG8iaSz…….ZT9MoNu/2YlJ9z98S8rA==”; eval(gzinflate(str_rot13(base64_decode($rhs))));The actual code, which is executed, is the one we cannot seems to read (i.e jY3RCkAwF…) and our ultimate task is to remove it all together from our files and to do so, we will search the files and create a list of the infected ones. The SSH command we will use is the standard grep:
grep -r -H -l “jY3RCkAwF” * > infected.txtThe command might seem a bit daunting to you, but what you really need to change is the bold text and replace it with just a few characters of the code you saw in one of your files. What this does it to search recursively (the -r option) in all your folders for the characters in the quotes and print only the files containing it (the -l option) into a file called infected.txt. The command might take awhile to execute, depending on how many files and folders you have and once it is completed you will have a file containing each infected file.
The last step is to actually remove the code from the files. In 99% of the cases I’ve seen, the code is added either at the top of the file or at the bottom and is on its own separate line (if that is not the case with you, check the alternative sed commands provided below). This makes it really easy to remove it with one single command using the SED tool. Prior running the command, you should create a backup of your files, just in case something goes terribly wrong. Then run:
for i in `cat infected.txt`; do sed ‘/jY3RCkAwF/d’ -i $i ; doneThe only thing to edit in the command is the bold text (just as with the grep, replace it with a few characters of code you found in your files). What the command does is as follows:
- It lists all results from the infected.txt file
- For each of the results it runs sed ‘/code/d’ which removes the line containing the ‘code’ string
- It then saves the file without that code
That’s all about it. You should repeat this for each type of malicious code you found in step 1 (while using the find . -mtime command) and when finished, your website should be pretty clean.
Additional SED Commands
Below are some additional/alternative sed commands which you might want to use:
- All-in-one command. It combines the grep and sed commands into one:
- Replace with opening tag, in case the malicious code is on the same line
- Delete the first n lines (3 in this example)
- Delete the first line and add an opening php tag
