Malicious Code Removal

Sometimes, viruses make their way onto a server. It's not usually the fault of the client, but often times it is the "fault" of the person exploiting. Occasionally, the programmer makes a mistake, but more often than not, the exploiter finds a way around the code written.

Here's how to get rid of certain malicious code.

rss.php & wp-yrwi.php

Step 1

Identify the two main malicious files: 

find . -name "rss.php" -o -name "wp-yrwi.php"

Step 2

Delete those files, if they are not expected. No code given for liability purposes.

Step 3

If using a framework, redownload the framework. Other code may be infected as well. On WordPress, I found theme files also infected. Run the following command:

Note, the code probably expands far off the right of the screen...note it ends with: .*;?>//' {} \; 

find . -name "*.php" -print -exec sed -ri 's/<\?php                                                                                                                                                                                                                                                                    .*;?>//' {} \;

Feel free to redownload anything AFTER you run that command.

This topic: Main > WebHome > MaliciousWebCodeRemoval
Topic revision: r2 - 2014-12-28 - ZachBornheimer
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2021 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback