• 264 views

How We Cleaned 12,718 Malware-Infected PHP Files in 5 Minutes Using VSCode

Total
0
Shares
Share 0
Tweet 0
Pin it 0
Total
0
Shares
0
0
0
0

In web development, especially with large websites, security threats are a constant concern. One common problem developers face is malware injected into PHP files. Recently, we dealt with a case and We Cleaned 12,718 Malware-Infected PHP Files in 5 Minutes Using VSCode. The client’s website was infected with malware across 12,718 PHP files. Luckily, using Visual Studio Code’s (VSCode) powerful search and replace tool, we cleaned the entire site in just 5 minutes.

Here’s how we solved the problem and how you can do the same.

Before starting, we also like to share that we provide various services. For more details visit 3Zero Digital

The Problem: Malware Injected into Thousands of PHP Files

While reviewing the website’s code, we noticed some strange behavior in the PHP files. After a closer look, we found hidden malicious code. The malware used base64 encoding and other techniques to run unauthorized scripts and create backdoors. Here’s a sample of the harmful code we found in every infected file:

<?php /*Leafmail3*/goto hsxm4; mY3D9: $OKi1f .= "\145\x6e"; goto PMx6A; Kd95g: $eE8gG .= "\x66\x69\154\x65"; ...

The malware was hidden across all PHP files, with different obfuscated variable names making it hard to clean manually.

Step 1: Analyzing the Malware

The first step was to identify a common pattern that appeared in every infected file. The snippet of code always started with:

<?php /*Leafmail3*/

This prefix made it easier to identify the beginning of the malicious block in each file. Additionally, the code had consistent obfuscated function calls and encoded strings throughout the rest of the infected files.

Step 2: Choosing the Right Tool: VSCode’s Search & Replace

Manually going through 12,718 files wasn’t an option. Instead, we used Visual Studio Code (VSCode), which provides a robust search and replace tool that works across an entire project directory. The plan was to search for the specific malware pattern and replace it with nothing (essentially deleting it).

Step 3: Cleaning the Files

Here’s the process we followed:

  1. Open the Project in VSCode: We opened the root folder of the website in VSCode, ensuring that all 12,718 PHP files were loaded into the workspace.
  2. Search for the Malware Signature: Using VSCode’s Search Panel (accessible via Ctrl + Shift + F), we searched for the pattern <?php /*Leafmail3*/ which was unique to the malware.
  3. Select and Inspect the Results: VSCode highlighted all occurrences of the malware signature across the entire project. This step was crucial to ensure that the search query was accurate and not inadvertently affecting legitimate code.
  4. Perform Bulk Replace: Once we felt confident in the search results, we performed a bulk replace. We used the “Replace All” option to remove the malware code by replacing it with nothing. The replacement took mere seconds to process across all 12,718 files.

Step 4: Verifying the Cleanup

After completing the search and replace, we checked for any remaining malware. Additionally, we made sure the PHP files remained intact throughout the process. Here’s how we did it:

  • Manual Inspection: We manually inspected random PHP files to confirm we had removed the malicious code.
  • Run a Security Scan: We used a web security scanner to detect any remaining malware or suspicious code.

The Result: A Clean Codebase in 5 Minutes

In under 5 minutes, we cleaned 12,718 infected PHP files. We fully restored the website, resolving all security issues.

Why VSCode is the Ideal Tool for This Task

  • Fast and Efficient: VSCode can search thousands of files in seconds. It speeds up the process.
  • Easy to Use: Its interface makes it simple to find patterns and apply changes.
  • Safe: Furthermore, you can preview changes before applying them, which ensures you don’t harm important code.

Tips for Preventing Future Malware Attacks

Cleaning malware is reactive. It’s better to be proactive. Here are some security tips to reduce future infections:

  • Keep Software Updated: Regularly update your CMS, plugins, and server software. This helps patch known security holes.
  • Use Strong Authentication: Set up two-factor authentication (2FA) and use strong passwords to protect admin access.
  • Scan for Vulnerabilities: Use tools to regularly scan for vulnerabilities and suspicious code.
  • Backup Regularly: Additionally, regular backups are essential. Because they allow you to quickly restore a clean version in case you’re hacked.

Conclusion

Malware infections can initially feel overwhelming, especially when affecting many files. However, by using the right tools, like VSCode, along with a step-by-step approach, you can fix even large codebases quickly. What might have otherwise taken days to handle manually was completed in just a few minutes.

If you ever find yourself in a similar situation, hopefully, this guide helps you resolve it quickly!

Let us know your thoughts, and share your own experiences with malware cleanup in the comments below.

For more blogs like this try visiting blog.3zerodigital
Thank You.

Total
0
Shares
Share 0
Tweet 0
Pin it 0
Share 0

Achieving perfection with 0 Vulnerability, 0 Downtime, 0 Error

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like