How to remove first line of every file using grep and xargs

If you have a Wordpress site, you may have encountered some security issues that resulted in some suspicious and obfuscated PHP code being injected in your Wordpress PHP theme and plugin files.
This malicious code usually starts with something like eval(gzinflate(base64_decode... and them some encoded data.
If you were to look it up in Google, you will probably find lost of references, most of them saying that this code is a hack that injects some IFRAME tag into your Wordpress HTML pages or download some file from some god forsaken IP address.

The best way to deal with these sort of things in Wordpress, is to make sure you have the latest Wordpress version installed, add some well known security plugins, like BulletProof Security, and take care of the file permissions on the server (not ALL users should have WRITE permissions).

Let's say we took care of all that and now we have prevented hackers from injecting PHP code in the future. What do we do with the code we already have in place? How do we clean it up quickly and efficiently?

The solution lies with one simple Shell script command line. But before we see the final solution, we have to understand the risks...
This solution is based on the assumption that the malicious code resides ALWAYS in the first line of the file. From my experience, this is always true but it is best to verify in advance by running the following command first using your SSH console, in the Wordpress root folder:

grep -rno "eval(gzinflate(base64_decode"

This command will search all the files (recursively) and display only the ones that contain eval(gzinflate(base64_decode.... It will also display the line number where that code was found.
So after running this, make sure that all results have :1: inside - this indicates the line number.

After we made sure the injected code is in the first line of each infected file, we can run the command to remove that line from all files at once:
WARNING: This code may break your site! Use with care! Best practice is to clone the Wordpress site and run this command on the cloned site for testing before applying on the real site.

grep -rl "eval(gzinflate(base64_decode" . | xargs sed -i 1d

The code above searches for all files, in the current folder and below, that contain the code eval(gzinflate(base64_decode... and for each one, it executes the sed -i 1d command which deletes the first line in that file.

That's it! One simple command that removes all the malicious code injected to your files (in the first line).

Disclaimer: Use the solution described below at your own risk. This site and the author are not accountable for any damage that may rise as a result of reading this post!

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.