How do I replace the first line of every php file on my website?
August 12, 2014 5:10 PM   Subscribe

I have some potentially malicious code stuck onto the first line of every php file on my website. How do I get rid of it without going into each file and cutting it out?
posted by sdis to Computers & Internet (19 answers total) 2 users marked this as a favorite
Download it, use a shell/python/whatever script to cut out the first line (optionally: only if it matches some type of regex), and then upload the fixed version...?
posted by ethidda at 5:14 PM on August 12, 2014

An example - one of my index.php files:
posted by sdis at 5:15 PM on August 12, 2014

Modifying a bunch of files to remove suspicious code is going to be a tedious, fragile, and likely incomplete way of fixing the problem. The safest thing to do here is restore a backup prior to the introduction of the suspicious code (preferably offline, allowing you to plug the hole that allowed the problem in the first place).
posted by ddbeck at 5:18 PM on August 12, 2014 [3 favorites]

@DDbeck: Unfortunately I have no idea when the code was introduced, and I have a developer that's been working on the backend of the site for weeks to code a new web shop, and I can't lose that data. (It's honestly possible that the developer introduced that code, but I have no way of knowing and I still need the code he's done. :P)
posted by sdis at 5:21 PM on August 12, 2014


First, are you sure that the system isn't otherwise compromised? Most likely somebody gained access to the system through a security hole or a weak password. If they did it once, they can do it again. That's the first thing you need to fix.

You can try to fix all the files, but it's not going to be super reliable, so you need to make a backup first. If you have an existing backup without the code already, that would probably be better.

Do all the files have the same start to the line? In other words, to they all start with the bit below?
<?php $ndrlwpsnyz = '
Are you sure that all the PHP files have the code?

Can you access a command prompt on the system? Is it Linux/BSD?
posted by Renegade Duck at 5:57 PM on August 12, 2014

If you don't know how it was introduced there, then there's probably nothing stopping it being added again - so make sure you start doing regular snapshots of your site once you clean it up.

I'd be pretty concerned that this isn't the only place that payloads were left, too.
posted by xiw at 5:59 PM on August 12, 2014

@Renegade Duck: Yeah, all the files start with <?php $ndrlwpsnyz = ', and no, it's not every single Php file. Seems like lots of the unused ones didn't get hit. I'd say it's like 60%.
posted by sdis at 6:02 PM on August 12, 2014

You don't happen to have your code in source control in a trusted location? If not, maybe you (or the developer you hired) should do that in the future, since that would make this much easier to recover from; just reimage the server (unless you're on shared hosting, in which case you'd delete all of the files in your website; in either case, you can't reliably trust that there wasn't a deeper, more persistent compromise that is harder to detect), redeploy fresh code from your source control, then restore the database and other dynamic data from the backup that you're also doing regularly. (Right?)

If you don't have backups and source control, you should think very seriously about doing that in the future. It can change a major crisis into a minor annoyance.

Also, you should figure out how those PHP files got modified in the first place. If you don't, and it was a hack, you'll just get hacked again as soon as you redeploy.
posted by Aleyn at 6:13 PM on August 12, 2014

Ok. With the caveat that I don't know your system, and I cannot guarantee this will work, and you should make a backup, here's the command to remove the strings:

find . -name '*.php' -print0 | xargs -0 sed -i '' -e "/^<?php \$ndrlwpsnyz = '/d"

That should all be on one line.

That will find everything in the current directory and any directories it contains (and any directories they contain, etc.) that has a name that ends with .php, and remove all lines that start with <?php $ndrlwpsnyz = '.

Again, you probably have an unpatched security hole. You should get someone to rebuild the system and take a look at the code. Otherwise, this is just going to happen again, and you probably already have other problems you can't see.
posted by Renegade Duck at 6:16 PM on August 12, 2014

Oh, and it's possible that won't work on your system if you have the wrong version of sed. It will give an error in that case.
posted by Renegade Duck at 6:17 PM on August 12, 2014

First, commit your code to a repository. I use which is $6/month for unlimited repos. This will be your fallback in case things go wrong.

Next, take a careful look at the example you posted. You don't want to delete the first line, you want to delete everything up to the first closing php tag, otherwise you will delete the opening php tags for your good code. I am using this as a quick example of why it's extremely dangerous to use command-line utilities to update your code wholesale.

In your situation and at your skill level, the fastest and least error prone thing would be, in my opinion, to download NetBeans IDE (HTML5 & PHP bundle), create a new project from existing sources using your files, and then search/replace the malicious code using "Replace In Projects" menu option. This way, you will find all occurrences of malicious code but will still be able to give it a quick human look-over before replacing.
posted by rada at 6:26 PM on August 12, 2014 [1 favorite]

Ugh. rada is right. If you've already run the code, then I can provide a command to fix it (probably, depending on how it was done). Otherwise, here's a new version:

find . -name '*.php' -print0 | xargs -0 sed -i '' -e "s/^<?php \$ndrlwpsnyz = '.*?>//"

Again, no guarantees.
posted by Renegade Duck at 6:37 PM on August 12, 2014

If you want to do a batch find-and-replace as suggested throughout the thread but without using the command line (and you're on a Mac), use TextWrangler. It's free, you'll be able to experiment on a few selected files to see what happens before uploading them back to your server, and you can undo with one keystroke. I imagine similar free programs for other operating systems also exist if you're not on a Mac.
posted by amicus at 8:55 PM on August 12, 2014

About 5 years ago had something similar happen to a site I was working on with 2 others. We had a text editor that could work multiple files at a time (Komodo edit, but any of the suggestions above are viable). I just want to highlight the "how did this happen?" Question. One of our developers had a malware infection and corrupted the PHP in 3 sites before we determined what the problem was.
Plug the hole or you will be doing this more than once.
posted by Fibognocchi at 9:30 PM on August 12, 2014 [1 favorite]

Being blunt. Your question is incorrect so I am going to ignore it. The fact that you posed the question in that way means you probably do not understand what you are asking for.

You have got absolutely no way of knowing what any of the php files contain because they are obfuscated. Your fix is unlikely to solve the problem, and short of a complete de-obfuscation and audit that code will never ever be trustworthy.

Do have any de-obfuscated backups of the code? If not, start again because that code is unmaintainable except by the person who obfuscated it.

Really, start again because sooner or later you will have to do that.
posted by epo at 5:13 AM on August 13, 2014 [2 favorites]

epo, the obfuscated code is the malicious code that was added not the original code and he already has a new site being developed.

You can usually tell by the file timestamps when they were altered, if the code is the same for every affected page, there are various software programs that can remove it - eg "multiple find and replace" but IME, its not always the same thing for every page and there may be other exploits added that you haven't found. If you don't find out how it got there though, it will happen again. Are you using a bespoke application or an off-the-shelf package? If it's bespoke then you'll need a professional to audit the code to fix the vulnerability. Its highly unlikely that the code was added by your developer, he wouldn't need to.
posted by missmagenta at 5:42 AM on August 13, 2014

OK, my mistake. The description said "one of my index.php files" which made it sound like it was the whole thing.

If you suspect any malicious activity you still need a complete code audit, in the absence of which, start again.
posted by epo at 5:46 AM on August 13, 2014

I fixed a similar problem by downloading all the files, making a backup, and then using the Find in Files replace in Notepad++.
posted by gregr at 8:57 AM on August 13, 2014

It sounds like you've basically got no idea what you're doing security wise, your systems are probably compromised top to bottom, and what you should really be doing is spinning up new VMs, updating with all the latest patches and recommitting code from scratch. If you can't do that, you've got serious process problems that need to be resolved or you'll be doing this again in a couple of months, meanwhile all of your customers data will have been compromised.
posted by empath at 12:05 PM on August 13, 2014

« Older I need a physical therapist for my… tongue?   |   Infections in Education... Newer »
This thread is closed to new comments.