rbarros · February 12, 2015 20:29
diff --git a/fix1.sh b/fix1.sh
 #!/bin/bash
 #
 # This script remove malware of PHP files.
 #
 # In this case it will remove some malicious code
 # from all Wordpress PHP files that is at top of
 #  every PHP file.
 #
 # The string at the top of every file is:
 #
 # <?php if(!isset($GLOBALS["\x61\156\x75\156\x61"])) { $ua=strtolower($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]); if ((! strstr($ua,"\x6d\163\x69\145")) and (! strstr($ua,"\x72\166\x3a\61\x31"))) $GLOBALS["\x61\156\x$
 #
 # This script tries to find the string inside $_SERVER
 # of the above line at the top of the files to determine
 # if the file is infected. If you run the script and
 # nothing seems to be infected but you suspect and you 
 # want to be sure, just open any PHP of Wordpress and 
 # check if the malicious line code is present. If is 
 # present but the script did not detect, it is because 
 # the content inside $_SERVER may be diferent.
 # In these cases, just replace in this script the string
 # in the -e parameter of grep line with the content of 
 # $_SERVER found in your PHP (remember to escape 
 # the \ with \\\\) and run again this removal script.
 #
 #
 # JavocSoft 2014
 #

 if [[ -z "$1" ]]; then
  echo "Directory where to find is required."
 else
  grep -rnwl $1 --include \*.php -e "\\\\x48\\\\124\\\\x54\\\\120\\\\x5f\\\\125\\\\x53\\\\105\\\\x52\\\\137\\\\x41\\\\107\\\\x45\\\\116\\\\x54" | while read -r filename ; do

    if [[ ! -z "$2" ]]; then
       echo "Found file $filename. Cleaning..."
       awk 'BEGIN {matches=0} matches < 1 && /1/ { sub(/^.*<?php/,"<?php"); matches++ } { print $0 }' $filename > $filename.purged
       mv $filename $filename.bck
       mv $filename.purged $filename
    else
      echo "Found file $filename."
    fi

  done
  echo "Done."
 fi
diff --git a/fix2.sh b/fix2.sh
 #!/bin/bash
 #
 # This script remove malware of PHP files.
 #
 # In this case it will remove some malicious code
 # from all Wordpress PHP files that is at top of
 #  every PHP file.
 #
 # The string at the top of every file is:
 #
 # <?php $fcuiewotzw = '}{;#)tutjyf%x5c%x7860opjudovg)!gj!|!*msv%x5c%x7825)}k~9.-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt)
 #
 # This script tries to find the string inside $_SERVER
 # of the above line at the top of the files to determine
 # if the file is infected. If you run the script and
 # nothing seems to be infected but you suspect and you 
 # want to be sure, just open any PHP of Wordpress and 
 # check if the malicious line code is present. If is 
 # present but the script did not detect, it is because 
 # the content inside $_SERVER may be diferent.
 # In these cases, just replace in this script the string
 # in the -e parameter of grep line with the content of 
 # $_SERVER found in your PHP (remember to escape 
 # the \ with \\\\) and run again this removal script.
 #
 #
 # Ramon Barros 2015
 #

 if [[ -z "$1" ]]; then
  echo "Directory where to find is required."
 else
  grep -rnwl $1 --include \*.php -e "\\\\x20\\\\57\\\\x2a\\\\40\\\\x65\\\\142\\\\x6e\\\\162\\\\x69\\\\143\\\\x75\\\\154" | while read -r filename ; do

    if [[ ! -z "$2" ]]; then
       echo "Found file $filename. Cleaning..."
       awk 'BEGIN {matches=0} matches < 1 && /1/ { sub(/^((<\?)php(.*)(\?>))/,""); matches++ } { print $0 }' $filename > $filename.purged
       mv $filename $filename.bck2
       mv $filename.purged $filename
    else
      echo "Found file $filename."
    fi

  done
  echo "Done."
 fi
	#!/bin/bash
	#
	# This script remove malware of PHP files.
	#
	# In this case it will remove some malicious code
	# from all Wordpress PHP files that is at top of
	# every PHP file.
	#
	# The string at the top of every file is:
	#
	# <?php if(!isset($GLOBALS["\x61\156\x75\156\x61"])) { $ua=strtolower($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]); if ((! strstr($ua,"\x6d\163\x69\145")) and (! strstr($ua,"\x72\166\x3a\61\x31"))) $GLOBALS["\x61\156\x$
	#
	# This script tries to find the string inside $_SERVER
	# of the above line at the top of the files to determine
	# if the file is infected. If you run the script and
	# nothing seems to be infected but you suspect and you
	# want to be sure, just open any PHP of Wordpress and
	# check if the malicious line code is present. If is
	# present but the script did not detect, it is because
	# the content inside $_SERVER may be diferent.
	# In these cases, just replace in this script the string
	# in the -e parameter of grep line with the content of
	# $_SERVER found in your PHP (remember to escape
	# the \ with \\\\) and run again this removal script.
	#
	#
	# JavocSoft 2014
	#

	if [[ -z "$1" ]]; then
	echo "Directory where to find is required."
	else
	grep -rnwl $1 --include \*.php -e "\\\\x48\\\\124\\\\x54\\\\120\\\\x5f\\\\125\\\\x53\\\\105\\\\x52\\\\137\\\\x41\\\\107\\\\x45\\\\116\\\\x54" \| while read -r filename ; do

	if [[ ! -z "$2" ]]; then
	echo "Found file $filename. Cleaning..."
	awk 'BEGIN {matches=0} matches < 1 && /1/ { sub(/^.*<?php/,"<?php"); matches++ } { print $0 }' $filename > $filename.purged
	mv $filename $filename.bck
	mv $filename.purged $filename
	else
	echo "Found file $filename."
	fi

	done
	echo "Done."
	fi