Malware in debian, I have detected it made a scan with clamav, for it I installed the antivirus clamav, I made a scan in my system debian and has detected in one of the installations the Trojan Win.Trojan.Shell-69 and others more like Win.Trojan.Hide-1 to see the report almost a thousand files have been infected, I have opened several and most have the same pattern of infection, are php and in the first line include an encrypted line with this pattern:
- they make reference to a variable zend_Framework
- or have a foreach loop,
I have seen that it can be programmed with a script in bash or in php so that the first line is deleted, but with the sed command (we eliminate pieces of a certain line with a regular expression pattern) it can be done in just one line:
For the case of the infection that has the code zend_framework finished in x2f \ ";?> The instruction would be:
sed -i 's / <? php $ zend_framework =. * x2f \ ");?> // g' grep -l zend_framework * -R
For the one who uses the foreach (explode, it would be such that:
sed -i 's / <? php foreach (explode. * $ uiaiveouiu-1;?> // g' grep -l foreach * -R
With these two instructions we would have solved the issue of infection and the problem of malicious code in the pages.
I have passed the antivirus clamav again and it has not detected any malware.