From owner-freebsd-questions@FreeBSD.ORG  Fri Dec  5 04:51:47 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E8C891065678
	for <freebsd-questions@freebsd.org>;
	Fri,  5 Dec 2008 04:51:47 +0000 (UTC)
	(envelope-from fbsd.questions@rachie.is-a-geek.net)
Received: from mail.rachie.is-a-geek.net (rachie.is-a-geek.net [66.230.99.27])
	by mx1.freebsd.org (Postfix) with ESMTP id BBFE58FC1B
	for <freebsd-questions@freebsd.org>;
	Fri,  5 Dec 2008 04:51:47 +0000 (UTC)
	(envelope-from fbsd.questions@rachie.is-a-geek.net)
Received: from localhost (mail.rachie.is-a-geek.net [192.168.2.101])
	by mail.rachie.is-a-geek.net (Postfix) with ESMTP id A5A3FAFBC02;
	Thu,  4 Dec 2008 19:51:46 -0900 (AKST)
From: Mel <fbsd.questions@rachie.is-a-geek.net>
To: freebsd-questions@freebsd.org
Date: Fri, 5 Dec 2008 05:51:32 +0100
User-Agent: KMail/1.9.7
References: <002b01c95609$ed0c7200$c7255600$@wakefield.sch.uk>
	<1228395500.2781.41.camel@frodon.be-bif.ulb.ac.be>
In-Reply-To: <1228395500.2781.41.camel@frodon.be-bif.ulb.ac.be>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200812050551.32850.fbsd.questions@rachie.is-a-geek.net>
Cc: mcoyles@horbury.wakefield.sch.uk, Julien Cigar <jcigar@ulb.ac.be>
Subject: Re: Mass find/replace...
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Dec 2008 04:51:48 -0000

On Thursday 04 December 2008 13:58:20 Julien Cigar wrote:
> the following should work :
> $ find /home/horbury -type f -print0 | xargs -0 grep 'base64_decode'
>  or :
> $ find /home/horbury -type f -exec grep 'base64_decode' {} \;

+ not \; or you will fork on every result.

Additionally, is this injected code one long string or broken down by the 
mailer? Grep isn't the best way to deal with it. It's pretty easy to correct 
with perl, bit trickier if it's multiline, still not too hard:

find /home/horbury -type f -exec \
	perl -pi.bak -e 's,<\?/\*\*/eval\(base64_decode\(.*?\?>,,s' {} +

The originals will end up as filename.php.bak.
-- 
Mel

Problem with today's modular software: they start with the modules
    and never get to the software part.