Life as a web­site admin­is­tra­tor is nev­er easy, main­ly when you are run­ning such web­sites that may attract wrong kind of peo­ple, e.g. crack­ers or script kid­dies. One of the most impor­tant steps in keep­ing a web­site safe is to make sure there is no per­mis­sion leak on the serv­er caused by care­less con­fig­u­ra­tion or by set­ting too lib­er­al file per­mis­sions.

Shit still hap­pens some­times when you for­get to be care­ful and some day, some bad ass fig­ures out the leak on your web­site and uses that leak to inject rot­ten code to every sin­gle file on the serv­er (hap­pens too often on shared servers). Some­thing like this recent­ly hap­pened to one of my clients who had set 777 per­mis­sions on a Word­Press plu­g­in direc­to­ry and all PHP files under it. What hap­pened next is for any­one to fig­ure out but for the sake of this post, I’ll say that the badass prepend­ed encod­ed shit to every sin­gle PHP file on the client’s serv­er.

So if you ever find your­self in a sim­i­lar sit­u­a­tion and are for­tu­nate enough to have access to the com­mand line on the serv­er, run this com­mand to recur­sive­ly delete the 1st line from every sin­gle PHP file found in the cur­rent fold­er and its sub-fold­ers (first make sure the encod­ed stuff hasn’t been inject­ed on the same line that also has the open­ing PHP tag “<?php”):

or a bet­ter ver­sion (if you want to find a string of code and delete it):

Oppo­site to this, if you instead want to prepend some­thing recur­sive­ly to all the PHP files in the cur­rent direc­to­ry, use the fol­low­ing com­mand:-

In any of the above com­mands, if your file type is dif­fer­ent than PHP, just use your file type there (e.g. *.html for HTML files, *.py for Python files, etc.), replac­ing “php”.

Hope it helps some­body in trou­ble.

Tagged with →  
Share →
%d bloggers like this: