Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 5 Dec 2008 10:39:21 +0100
From:      Mel <fbsd.questions@rachie.is-a-geek.net>
To:        freebsd-questions@freebsd.org, mcoyles@horbury.wakefield.sch.uk
Subject:   Re: Mass find/replace...
Message-ID:  <200812051039.21913.fbsd.questions@rachie.is-a-geek.net>
In-Reply-To: <004c01c956ba$56497410$02dc5c30$@wakefield.sch.uk>
References:  <002b01c95609$ed0c7200$c7255600$@wakefield.sch.uk> <200812050551.32850.fbsd.questions@rachie.is-a-geek.net> <004c01c956ba$56497410$02dc5c30$@wakefield.sch.uk>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Friday 05 December 2008 10:17:46 Marc Coyles wrote:
> > + not \; or you will fork on every result.
> >
> > Additionally, is this injected code one long string or broken down
> > by the
> > mailer? Grep isn't the best way to deal with it. It's pretty easy
> > to correct
> > with perl, bit trickier if it's multiline, still not too hard:
> >
> > find /home/horbury -type f -exec \
> > 	perl -pi.bak -e 's,<\? /\*\*/eval\(base64_decode\(.*?\?>,,s' {} +
>
> Sadly that didn't work. It created .bak files for everything within
> /home/Horbury recursively, but didn't make any changes - the base64_decode
> is till present.
>
> Additional point to note: this only needs performing on .php files, not all
> files...
>
> Would I be correct in guessing it's because the string for perl to search
> for omits a space?

Nope.

> IE: within the files, it's as follows:
> <?php /**/eval(base64_decode('thestring')); ?>

Cause in your original mail I didn't catch the <?php, but the shorthand open. 
So it should be:

's,<\?php /\*\*/eval\(base64_decode\(.*?\?>,,s'

> Whereas the perl appears to be looking for:
> <?php/**/eval(base64_decode(*wildcard*?>
>
> Also... how to delete all files ending in .bak recursively? *grin*
>
> I'm presuming it'd be:
>
> Find /home/horbury -type f -name "*.bak" -exec \

find /home/horbury -name '*.bak' -delete

-- 
Mel

Problem with today's modular software: they start with the modules
    and never get to the software part.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200812051039.21913.fbsd.questions>