sed, replace first line

Question

I got hacked by running a really outdated Drupal installation (shame on me)

It seems they injected the following in every .php file;

Answer 1

You can use sed with something like

sed '1 s/^.*$/<?php/'

The 1 part only replaces the first line. Then, thanks to the s command, it replaces the whole line by <?php.

To modify your files in-place, use the -i option of GNU sed.

Answer 2

To replace the first line of a file, you can use the c (for "change") command of sed:

sed '1c<?php' 

which translates to: "on line 1, replace the pattern space with <?php".

For this particular problem, however, something like this would probably work:

sed '1,/^$/c<?php'

which reads: change the range "line 1 to the first empty line" to <?php, thus replacing all injected code.

(The second part of the address (the regular expression /^$/) should be replaced with an expression that would actually delimit the injected code, if it is not an empty line.)