Created
February 17, 2020 09:12
-
-
Save robertuniqid/8c8c8089d6816226c9e088698fff05f7 to your computer and use it in GitHub Desktop.
WPEP \ eLearnCommerce - VCD Malware Pattern. - Instead of building a full-blown security scanner, in eLearnCommerce the plugin checks for patterns, the only compromised sites we encountered that generated a lot of issues where with the "VCD" pattern, and we'll just for it. This script is pretty simple.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| namespace WPEP\PlatformHealth; | |
| class Security { | |
| public function is_compromised() { | |
| $map = $this->get_map(); | |
| foreach( $map as $current_verification ) | |
| foreach( $current_verification[ 'independent_files' ] as $file_path ) | |
| if( file_exists( $file_path ) ) | |
| return true; | |
| return false; | |
| } | |
| public function cleanup() { | |
| @set_time_limit(0 ); | |
| @ini_set('memory_limit', '512M'); | |
| $map = $this->get_map(); | |
| $theme_path_list = $this->_get_theme_path_list(); | |
| foreach( $map as $current_verification ) { | |
| foreach( $current_verification[ 'core_files' ] as $file_path => $file_malware_pattern ) { | |
| $file_content = file_get_contents( $file_path ); | |
| foreach( $file_malware_pattern as $current_pattern ) | |
| $file_content = str_replace( $current_pattern, '', $file_content ); | |
| file_put_contents( $file_path, $file_content ); | |
| } | |
| foreach( $current_verification[ 'independent_files' ] as $independent_file ) { | |
| if( !file_exists( $independent_file ) ) | |
| continue; | |
| unlink( $independent_file ); | |
| } | |
| foreach( $theme_path_list as $current_theme_path ) { | |
| foreach( $current_verification[ 'theme_file_patterns' ] as $theme_file_pattern ) { | |
| if( !file_exists( $current_theme_path . DIRECTORY_SEPARATOR . $theme_file_pattern ) ) | |
| continue; | |
| unlink( $current_theme_path . DIRECTORY_SEPARATOR . $theme_file_pattern ); | |
| } | |
| $functions_file_path = $current_theme_path . DIRECTORY_SEPARATOR . 'functions.php'; | |
| if( !file_exists( $functions_file_path ) ) | |
| continue; | |
| $functions_file_content = file_get_contents( $functions_file_path ); | |
| $is_changed_functions_file_content = false; | |
| foreach( $current_verification[ 'theme_functions_pattern' ] as $current_functions_pattern ) { | |
| if( strpos( $functions_file_content, $current_functions_pattern[ 'start' ] ) === false ) | |
| continue; | |
| if( strpos( $functions_file_content, $current_functions_pattern[ 'end' ] ) === false ) | |
| continue; | |
| foreach( $current_functions_pattern[ 'include' ] as $current_include ) | |
| if( strpos( $functions_file_content, $current_include ) === false ) | |
| continue 2; | |
| $offset = 0; | |
| $start_position = false; | |
| $end_position = false; | |
| while( 1 == 1 ) { | |
| $start_position = strpos( $functions_file_content, $current_functions_pattern[ 'start' ], $offset ); | |
| $end_position = strpos( $functions_file_content, $current_functions_pattern[ 'end' ], $offset ); | |
| if( $start_position === false || $end_position === false ) | |
| break; | |
| $end_position += strlen( $current_functions_pattern[ 'end' ] ); | |
| if( $start_position > $end_position ) { | |
| $offset = $end_position - 1; | |
| continue; | |
| } | |
| foreach( $current_functions_pattern[ 'include' ] as $current_include ) { | |
| if( intval( strpos( $functions_file_content, $current_include, $offset ) ) < $start_position | |
| || intval( strpos( $functions_file_content, $current_include, $offset ) ) > $end_position ) { | |
| $offset = $end_position - 1; | |
| continue 2; | |
| } | |
| } | |
| break; | |
| } | |
| if( $start_position === false || $end_position === false ) | |
| continue; | |
| if( $start_position === 0 ) { | |
| $functions_file_content = substr( $functions_file_content, $end_position ); | |
| } else { | |
| $functions_file_content = substr( $functions_file_content, 0, $start_position ) . substr( $functions_file_content, $end_position ); | |
| } | |
| $is_changed_functions_file_content = true; | |
| } | |
| if( $is_changed_functions_file_content ) | |
| file_put_contents( $functions_file_path, $functions_file_content ); | |
| } | |
| } | |
| } | |
| public function get_map() { | |
| $map = [ | |
| 'vcd' => [ | |
| 'name' => __( 'VCD Malware', "wpep" ), | |
| 'core_files' => [ | |
| ABSPATH . WPINC . DIRECTORY_SEPARATOR . 'post.php' => [ | |
| '<?php if (file_exists(dirname(__FILE__) . \'/wp-vcd.php\')) include_once(dirname(__FILE__) . \'/wp-vcd.php\'); ?>' | |
| ], | |
| ], | |
| 'independent_files' => [ | |
| ABSPATH . WPINC . DIRECTORY_SEPARATOR . 'wp-vcd.php', | |
| ABSPATH . WPINC . DIRECTORY_SEPARATOR . 'wp-tmp.php' | |
| ], | |
| 'theme_functions_pattern' => [ | |
| [ | |
| 'start' => '<?php', | |
| 'include' => [ | |
| 'wp_vcd', | |
| '$start_wp_theme_tmp', | |
| '$end_wp_theme_tmp' | |
| ], | |
| 'end' => '?>' | |
| ] | |
| ], | |
| 'theme_file_patterns' => [ | |
| 'class.theme-modules.php' | |
| ] | |
| ] | |
| ]; | |
| return $map; | |
| } | |
| private function _get_theme_path_list() { | |
| return wpep_file_system_get_base_directory_list( get_theme_root( false ) ); | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment