-
-
Save AlexAndrascu/a950a3a56f747a6df586 to your computer and use it in GitHub Desktop.
This script remove malware of PHP files.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# | |
# This script remove malware of PHP files. | |
# | |
# In this case it will remove some malicious code | |
# from all Wordpress PHP files that is at top of | |
# every PHP file. | |
# | |
# The string at the top of every file is: | |
# | |
# <?php if(!isset($GLOBALS["\x61\156\x75\156\x61"])) { $ua=strtolower($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]); if ((! strstr($ua,"\x6d\163\x69\145")) and (! strstr($ua,"\x72\166\x3a\61\x31"))) $GLOBALS["\x61\156\x$ | |
# | |
# This script tries to find the string inside $_SERVER | |
# of the above line at the top of the files to determine | |
# if the file is infected. If you run the script and | |
# nothing seems to be infected but you suspect and you | |
# want to be sure, just open any PHP of Wordpress and | |
# check if the malicious line code is present. If is | |
# present but the script did not detect, it is because | |
# the content inside $_SERVER may be diferent. | |
# In these cases, just replace in this script the string | |
# in the -e parameter of grep line with the content of | |
# $_SERVER found in your PHP (remember to escape | |
# the \ with \\\\) and run again this removal script. | |
# | |
# | |
# JavocSoft 2014 | |
# | |
if [[ -z "$1" ]]; then | |
echo "Directory where to find is required." | |
else | |
grep -rnwl $1 --include \*.php -e "\\\\x48\\\\124\\\\x54\\\\120\\\\x5f\\\\125\\\\x53\\\\105\\\\x52\\\\137\\\\x41\\\\107\\\\x45\\\\116\\\\x54" | while read -r filename ; do | |
if [[ ! -z "$2" ]]; then | |
echo "Found file $filename. Cleaning..." | |
awk 'BEGIN {matches=0} matches < 1 && /1/ { sub(/^.*<?php/,"<?php"); matches++ } { print $0 }' $filename > $filename.purged | |
mv $filename $filename.bck | |
mv $filename.purged $filename | |
else | |
echo "Found file $filename." | |
fi | |
done | |
echo "Done." | |
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# | |
# This script remove malware of PHP files. | |
# | |
# In this case it will remove some malicious code | |
# from all Wordpress PHP files that is at top of | |
# every PHP file. | |
# | |
# The string at the top of every file is: | |
# | |
# <?php $fcuiewotzw = '}{;#)tutjyf%x5c%x7860opjudovg)!gj!|!*msv%x5c%x7825)}k~9.-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt) | |
# | |
# This script tries to find the string inside $_SERVER | |
# of the above line at the top of the files to determine | |
# if the file is infected. If you run the script and | |
# nothing seems to be infected but you suspect and you | |
# want to be sure, just open any PHP of Wordpress and | |
# check if the malicious line code is present. If is | |
# present but the script did not detect, it is because | |
# the content inside $_SERVER may be diferent. | |
# In these cases, just replace in this script the string | |
# in the -e parameter of grep line with the content of | |
# $_SERVER found in your PHP (remember to escape | |
# the \ with \\\\) and run again this removal script. | |
# | |
# | |
# Ramon Barros 2015 | |
# | |
if [[ -z "$1" ]]; then | |
echo "Directory where to find is required." | |
else | |
grep -rnwl $1 --include \*.php -e "\\\\x20\\\\57\\\\x2a\\\\40\\\\x65\\\\142\\\\x6e\\\\162\\\\x69\\\\143\\\\x75\\\\154" | while read -r filename ; do | |
if [[ ! -z "$2" ]]; then | |
echo "Found file $filename. Cleaning..." | |
awk 'BEGIN {matches=0} matches < 1 && /1/ { sub(/^((<\?)php(.*)(\?>))/,""); matches++ } { print $0 }' $filename > $filename.purged | |
mv $filename $filename.bck2 | |
mv $filename.purged $filename | |
else | |
echo "Found file $filename." | |
fi | |
done | |
echo "Done." | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
how do you run this code