Yegor's blog

Small blog about system administration.

Removing “EVAL(BASE64_DECODE” from all PHP files

Yesterday, almost all installations on our test server had been infected by infamous 

“<?php eval(base64_decode(…)) ?>”   code injection.

We have more than 600 demo sites on our test server and cleaning them using any WordPress plugin out there was simply out of the question! Can you imagine logging into each WordPress, installing plugin, then scanning/cleaning up WordPress… for 600+ WordPress sites?

Below is combination of Linux commands we used. Assuming you have logged into a Linux Shell and already have BACKUP of all files (including infected files) lets move ahead!
Command to list all infected files:

grep -lr --include=*.php "eval(base64_decode" /path/to/webroot

This is not necessary but its better to check some files manually to confirm if they have malicious code we are looking for. Also we can use this command after running cleanup command to crosscheck if cleanup is really successful.
Command to remove malicious code:

If above command gives you correct output, execute following command to perform actual cleaning:

grep -lr --include=*.php "eval(base64_decode" /path/to/webroot | xargs sed -i.bak 's/<?php eval(base64_decode[^;]*;/<?php\n/g'

Executing above will remove eval(*) codes. Above command will also generate a backup version of files it will modify. For example, if it removes code from index.php, you will find a new fileindex.php.bak in same directory with original content of index.php

Now after running above command, you still find some more infected files, then you need to adjust search and replace parameters in for “sed” part. You may also use following command for a “liberal” cleaning at the risk of breaking something. (in case you really break something, like I did, you can jump to “Troubleshooting” section below!)

grep -lr --include=*.php "eval(base64_decode" /path/to/webroot | xargs sed -i.bak '/eval(base64_decode*/d'

Trying to avoid re-appearance of this code injection

Its really though to cover every possible way to protect yourself from such attach in this post.

If you remember, WordPress community faced this kind of issue because of WP-PhpMyAdmin plugin sometime back. In our case, we found some old WordPress demo sites were having that plugin installed.

To remove WP-PhpMyAdmin plugin form all WordPress sites on your server, execute following command:

find /path/to/webroot -name "wp-phpmyadmin" -type d | xargs rm -rf

Above is all we did to get rid of eval(base64_decode(*)) codes from all files on our test server. If this happens again on our server, I will update this post with added info.

Just in case you end up in a mess, below are some useful commands.

Missing <?php tag in the beginning:

To add “<?php: tag in the beginning of index.php files, in case if you remove it accidentally use following command:

find /var/www/ -name "index.php" | grep "/htdocs/index.php" | xargs grep -L "<?php" | xargs sed -i "1s/^/<?php \n/"

Don’t worry. If you already have a “<?php ” tag in the beginning, it won’t be added again.

Extra Newlines at the top!

If you find after cleanup, extra newlines at the top of your code, then use following command to remove trailing newlines. Extra newlines creates problem for blog feeds.

find . -name '*.php' -exec sed -i -e :a -e '/^\n*$/{$d;N;ba' -e '}' '{}' \;

I hope you will find this stuff useful.

No comments :

Post a Comment

HOWTO: httpd dead but subsys locked

I just finished installing CentOS 5.6 on my machine and when i tried to start httpd service I encountered this error:

"httpd dead but subsys locked"

Googling around I found this commands

check for running processes

ipcs -s | grep apache

(more info @

stop processes

ipcs -s | grep apache | perl -e 'while (<STDIN>) { @a=split(/\s+/); print `ipcrm sem $a[1]`}'

Remove httpd lock file

cd /var/lock/subsys && rm httpd
service httpd restart

1 comment :

Post a Comment

exiqgrep exit with error “Line mismatch”

Sometime exiqgrep exit with error Line mismatch when you try to remove emails with the -Mrm option

#exiqgrep -o 604800
Line mismatch: 170d 1IGLxw-0004Tw-Ne

You can remove the particular entry that errors out as follows.
# exim -bpru | grep “170d” | awk ‘{print $2}’
#exim -bpru | grep “170d” | awk ‘{print $2}’ | xargs -n 1 -P 20 exim -Mrm

You will see something like,

Spool data file for 1IGLxw-0004Tw-Ne does not exist
Spool data file for 1IGTFn-0000VM-UI does not exist
Continuing, to ensure all files removed
Continuing, to ensure all files removed
Message 1IGTFn-0000VM-UI has been removed or did not exist
Message 1IGLxw-0004Tw-Ne has been removed or did not exist

Nevermind, those messages should be removed now
Repeat the process until all the mal-formated entries are removed.
Did that work for you ?

No comments :

Post a Comment

The script to kill DoS/DDoS botnet on the OpenVZ hardware node

I recently faced the problem of DDoS attack OpenVZ containers.
DDoS net consists of these IPs. They are attack VZ servers:

So, at the first I did the following thing at the HW node:

# iptables -I FORWARD -s -j DROP && 
iptables -I FORWARD -s -j DROP && 
iptables -I FORWARD -s  -j DROP && 
iptables -I FORWARD -s -j DROP

Then, I made the script to kill that botnet:

# tcpdump -n > tcp.dmp;cat tcp.dmp | grep| awk '{print $3}'| sed -r 's/.dom/ /g'| awk '{print $1}' | sort -n | uniq -c| awk '{print $2}'| xargs -i iptables -A INPUT -s {} -j DROP && cat tcp.dmp | grep| awk '{print $3}'| sed -r 's/.dom/ /g'| awk '{print $1}' | sort -n | uniq -c| awk '{print $2}'| xargs -i iptables -A FORWARD -s {} -j DROP && cat tcp.dmp | grep| awk '{print $3}'| sed -r 's/.dom/ /g'| awk '{print $1}' | sort -n | uniq -c| awk '{print $2}'| xargs -i iptables -A OUTPUT -s {} -j DROP

Actually, tcpdump rulezz :-)

No comments :

Post a Comment

How to prevent DoS/DDoS attack on linux server

All web servers been connected to the Internet subjected to DoS (Denial of Service) or DDoS (Distrubuted Denial of Service) attacks in some kind or another, where hackers or attackers launch large amount connections consistently and persistently to the server, and in advanced stage, distributed from multiple IP addresses or sources, in the hope to bring down the server or use up all network bandwidth and system resources to deny web pages serving or website not responding to legitimate visitors.

You can detect the ddos using the following command

#netstat -anp|grep tcp|awk ‘{print $5}’| cut -d : -f1|sort|uniq -c|sort -n

It will shows the number of connections from all IPs to the server.

There are plenty of ways to prevent, stop, fight and kill off DDoS attack, such as using firewall. 
A low cost, and probably free method is by using software based firewall or filtering service. 
(D)DoS-Deflate is a free open source Unix/Linux script by MediaLayer that automatically mitigate (D)DoS attacks. It claims to be the best, free, open source solution to protect servers against some of the most excruciating DDoS attacks.

(D)DoS-Deflate script basically monitors and tracks the IP addresses are sending and establishing large amount of TCP network connections such as mass emailing, DoS pings, HTTP requests) by using “netstat” command, which is the symptom of a denial of service attack. 
When it detects number of connections from a single node that exceeds certain preset limit, the script will automatically uses APF or IPTABLES to ban and block the IPs. 
Depending on the configuration, the banned IP addresses would be unbanned using APF or IPTABLES (only works on APF v 0.96 or better).

Installation and setup of (D)DOS-Deflate on the server is extremely easy. Simply login as root by open SSH secure shell access to the server, and run the the following commands one by one:

chmod 0700

To uninstall the (D)DOS-Deflate, run the following commands one by one instead:

chmod 0700 uninstall.ddos

The configuration file for (D)DOS-Deflate is ddos.conf, and by default it will have the following values:


Users can change any of these settings to suit the different need or usage pattern of different servers. 
It’s also possible to whitelist and permanently unblock (never ban) IP addresses by listing them in /usr/local/ddos/ignore.ip.list file. 
If you plan to execute and run the script interactively, users can set KILL=0 so that any bad IPs detected are not banned


Post a Comment