Hacked Site Cleanup Scripts

fix-get-cpanel-users.sh

#!/bin/bash

# Run as root
# You may want to modify the cpanelusers file after
for i in $(/bin/ls /var/cpanel/users/);  do echo ${i} >> /fix-hack/cpanelusers; done

# Increase file permissions
chmod 400 /fix-hack/cpanelusers

fix-multiple-sites.sh

#! /bin/bash

# Run as root
# This script runs the single site script for each site

# Create results file if it doesn't exist
touch /fix-hack/results

# Temporarily lower file permission so all users can read/write
chmod 777 /fix-hack/results

# Loop through each cpanel user listed in
while read NAME
do
  echo $NAME
  su -c "bash /fix-hack/fix-single-site.sh" -s /bin/sh "$NAME"
done < /fix-hack/cpanelusers

# Increase file permission (you know, passwords and stuff...)
chmod 400 /fix-hack/results

fix-password-cpanel.sh

#!/bin/bash

# Run as root

# Check	cPanel User
if [[ -z "${1+present}" ]]
then
  read -p "cPanel User  : " CPANELUSER
else
  CPANELUSER=$1
fi

# Generate random 20 character password
PASSWORD=$(LC_CTYPE=C tr -dc A-Za-z0-9_\!\@\#\$\%\^\&\*\(\) < /dev/urandom | head -c 20)
echo ${PASSWORD}

# Allow password changing
export ALLOW_PASSWORD_CHANGE=1

# Replace password
/scripts/realchpass ${CPANELUSER} ${PASSWORD}
/scripts/ftpupdate
/scripts/mysqlpasswd ${CPANELUSER} ${PASSWORD}

echo "New cPanel Password:" >> /fix-hack/results
echo ${PASSWORD} >> /fix-hack/results
echo " " >> /fix-hack/results

fix-password-db.sh

#!/bin/bash

# Run as root

# Check	cPanel User
if [[ -z "${1+present}" ]]
then
  read -p "cPanel User  : " CPANELUSER
else
  CPANELUSER=$1
fi

# Enter directory
cd /home/${CPANELUSER}/public_html/

# Generate random 20 character password
PASSWORD=$(LC_CTYPE=C tr -dc A-Za-z0-9_\!\@\#\$\%\^\&\*\(\) < /dev/urandom | head -c 20)
echo ${PASSWORD}

# Find old password and user
if [ -f wp-config.php ]
then
  OLDPASS=$(cat wp-config.php | grep DB_PASS | cut -d \' -f 4)
  DBUSER=$(cat wp-config.php | grep DB_USER | cut -d \' -f 4)
  if [ -z	${DBUSER} ]
  then
    echo " "
  else
    replace ${OLDPASS} ${PASSWORD} -- wp-config.php
  fi
fi

if [ -f db-config.php ]
then
	OLDPASS=$(cat db-config.php | grep DB_PASS | cut -d \' -f 4)
	DBUSER=$(cat db-config.php | grep DB_USER | cut -d \' -f 4)
  if [ -z	${DBUSER} ]
  then
    echo " "
  else
    replace "$OLDPASS" "$PASSWORD" -- db-config.php
  fi
fi

if [ -f	stage-config.php ]
then
  OLDPASS=$(cat stage-config.php | grep DB_PASS | cut -d \' -f 4)
  DBUSER=$(cat stage-config.php | grep DB_USER | cut -d \' -f 4)
  if [ -z	${DBUSER} ]
  then
    echo " "
  else
    replace "$OLDPASS" "$PASSWORD" -- stage-config.php
  fi
fi

if [ -z ${DBUSER} ]
then
  echo "DATABASE PASSWORD NOT CHANGED"
else
  # Update mysql pasword
  mysql -u root -e "SET PASSWORD FOR ${DBUSER}@localhost = PASSWORD('${PASSWORD}');"

  echo "Database Password Changed:" >> /fix-hack/results
fi

echo ${DBUSER}
echo ${PASSWORD}
echo ${OLDPASS}

echo "DB_USER:" >> /fix-hack/results
echo ${DBUSER} >> /fix-hack/results
echo "DB_PASS:" >> /fix-hack/results
echo ${PASSWORD} >> /fix-hack/results
echo "OLD PASSWORD:" >> /fix-hack/results
echo ${OLDPASS} >> /fix-hack/results
echo " " >> /fix-hack/results

fix-password-wp.sh

#!/bin/bash

# Run as user
# This script requires WP-CLI (http://wp-cli.org/)

# Get cPanel user
if [[ -z "${1+present}" ]]
then
    read -p "cPanel User  : " CPANELUSER
else
    CPANELUSER=$1
fi

# Enter directory
cd ~/public_html/

# generate random 20 character password
PASSWORD=$(LC_CTYPE=C tr -dc A-Za-z0-9_\!\@\#\$\%\^\&\*\(\)-+= < /dev/urandom | head -c 20)
echo ${PASSWORD}

# Check if hacked user
USER1=$(wp user get 1 --field=user_login)
echo ${USER1}

if [ ${USER1} == "anonx" ] || [ ${USER1} == "k2" ] || [ ${USER1} == "admin" ]
then

  if [ ${USER1} == "anonx" ]
  then
    echo "Hacked anonx found" >> /fix-hack/results
  fi

  if [ ${USER1} == "k2" ]
  then
    echo "Hacked k2 found" >> /fix-hack/results
  fi

  if [ ${USER1} == "admin" ]
  then
    echo "Hacked admin found" >> /fix-hack/results
  fi

  # Store original user email and make it fake so we can create new account
  OLDEMAIL=$(wp user get 1 --field=user_email)
  wp user update 1 [email protected]

  # Create new account with correct email and hide user from display name
  wp user create ${CPANELUSER} ${OLDEMAIL} --role=administrator --user_pass=${PASSWORD} --display_name=${CPANELUSER}user
  NEWID=$(wp user get ${CPANELUSER} --field=ID)
    wp user delete 1 --reassign=${NEWID}

    echo "New user password:" >> /fix-hack/results
    echo ${PASSWORD} >> /fix-hack/results
    echo " " >> /fix-hack/results
fi

fix-single-site.sh

#!/bin/bash

# Run as root
# This script runs multiple scripts to fix a hacked WordPress site

# Check	cPanel User
if [[ -z "${1+present}" ]]
then
  read -p "cPanel User  : " CPANELUSER
else
  CPANELUSER=$1
fi

# Add line break and site working on
echo "-------------------- " >> /fix-hack/results
echo ${CPANELUSER} >> /fix-hack/results
echo " "
echo ${CPANELUSER}

# Update cPanel password
bash /fix-hack/fix-password-cpanel.sh ${CPANELUSER}

# Update WP DB password
bash /fix-hack/fix-password-db.sh ${CPANELUSER}

# Update Hacked WP passwords
su -c "bash /fix-hack/fix-password-wp.sh" -s /bin/sh "${CPANELUSER}"

# Update Hacked WP passwords
su -c "bash /fix-hack/fix-update-wp.sh" -s /bin/sh "${CPANELUSER}"

fix-update-wp.sh

#!/bin/bash

# Run as user
# This script requires WP-CLI (http://wp-cli.org/)

# Get cPanel user
if [[ -z "${1+present}" ]]
then
  read -p "cPanel User  : " CPANELUSER
else
  CPANELUSER=$1
fi

# Enter directory
cd ~/public_html/

# Force latest version of WP
wp core update --force >> /fix-hack/results

# Update Plugins
wp plugin update --all

# Update Themes
wp theme update --all

# Echo any plugins that could not be updated
echo "Remaining plugins" >> /fix-hack/results
wp plugin list --update=available --format=csv --field=name >> /fix-hack/results