Hi,
I am not sure how to block this hack, but as a workaround
I wrote a solution which would restore your files even if you dont have any backup,
the below script catches all infected php files on your server, backup them (with it original path),restoring them into it orig state, and also write a summary file with the result
It works great for me (about 21000~ php files scanned and fix in 7min)
In order to use it copy the below code into file on your home directory
name the file php_fix.sh
make it executable by typing
chmod +x php_fix.sh
and run it:
./php_fix.sh y
You may consider add it to your crontab job to run automatically every day.
enjoy
#!/bin/bash
infected_files=0
fixed_files=0
DATE=date +"%d-%m-%y %T"
find . -name "*.php" |grep -v 2fix > php_files.dat
php_files=cat php_files.dat |wc -l
if [ ! ls 2fix ]
then
mkdir 2fix
fi
while read file_name
do
if [[ head -1 $file_name |grep GLOBALS ]]
then
if [[ $1 == "y" ]]
then
fixed_string=head -1 $file_name |grep GLOBALS | awk -F"?>" '{print $3}'
cp --parents $file_name 2fix/
sed -i "1s/.*/$fixed_string/" $file_name
#sed -i "1s/.*/\<\?php/" $file_name
#sed -i '1d' $file_namea
let fixed_files=$fixed_files+1
else
let infected_files=$infected_files+1
fi
fi
done < php_files.dat
echo $DATE, "Scannded files:" $php_files, "Fixed files:" $fixed_files, "Infected: " $infected_files >> fixed_files.dat
exit