How to mass clean base64_decode infected php files (Including WordPress)

Hello once again,

I had recently been asked to take a look at a server that was being reported as having a virus passed to unsuspecting visitors. I did the usual scan (using clamscan) and came up with a couple of files that had PHP shells. I removed those files, and started digging deeper. What I found was that two of the accounts on the server had all of their .php files infected with a base64_decode right on the first line. What this does is it encrypts code so that a user cannot see it. The web server knows how to decrypt it, so when the page is served to a user, they get a little more than they bargained for! The following information will only replace the first line of these infected files.

Getting back on topic, here is how I was able to remove all of the nasty code from the infected files. First off, you need to log into your server as the root user, through SSH. Next, we make sure we are in the /root directory:

root@server [~] # cd /root

Now, lets do a scan for the infected files, and place the file paths into another file, which we will use later to remove the code:

root@server [~] # find /home/user/public_html/ -name "*.php"  -print0 | xargs -0 egrep -l 'eval\(base64_decode\(' > /root/infectedfiles

What the above command does is search the /home/user/public_html folder (make sure you change the “user” to a valid user on your system!) and it looks for the string “eval(base64_decode(“. If it finds it, it will list the path to it in the /root/infectedfiles file. Please note, sometimes a good file can contain this string, so please be careful, and always make backups!

Now that we have a list of files we need to replace the first line in, we need to use this little bash script:

#       Remove base64_decode infection
#       by
cat infectedfiles | while read FILE
        echo "Cleaning $FILE"
        sed -i '1 s/^.*$/<?php/' "$FILE"

You need to copy the above and paste it into a new file. This will vary depending on your preferred text editor. First, create the new file:
root@server [~] # touch Remove_Base64_SolidServers

Make sure the script has execute permissions by doing the following:
root@server [~] # chmod +x Remove_Base64_SolidServers

Now open the file in a text editor and paste the script from above into it. You can also download the script from the following link:
[wpdm_file id=1]

Now all that is left to do, is run the script!

root@server [~] # ./Remove_Base64_SolidServers

Again, please make sure you have backups prior to running this, or any script that could make changes to your files!

Any questions, let us know!