speeddragon · May 6, 2022 15:48
diff --git a/php-backdoor-removal.sh b/php-backdoor-removal.sh
 #
 #
 # WORDPRESS BASH SCRIPT TO CLEAN BACKDOOR FILES
 #
 #

 DOMAIN=$1
 FOLDER=$2

 AWS_KEYFILE=~/aws.pem

 if [ "$3" == "--delete" ]; then
 	DELETE=" | tr \"\\n\" \"\\000\" | xargs -0 rm"
 else
 	DELETE=""
 fi

 echo " :: FilesMan"
 ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo sh -c 'grep -rnw ${FOLDER} -e \"FilesMan\" | cut -d\":\" -f1 ${DELETE}'; exit"
 echo " :: \"base64_decode\";return > ";
 ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo sh -c 'grep -rnw ${FOLDER} -e \"\\\"base64_decode\\\";return\" | cut -d\":\" -f1 ${DELETE}'; exit"
 echo " :: ; \$GLOBALS > ";
 ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo sh -c 'grep -rnw ${FOLDER} -e \"; \\\$GLOBALS\" | cut -d\":\" -f1 ${DELETE}'; exit"
 echo " :: <?php \${\" > ";
 ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo sh -c 'grep -rnw ${FOLDER} -e \"<?php \\\${\" | cut -d\":\" -f1 ${DELETE}'; exit"

 #ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo grep -rnw ${FOLDER} -e 'return base64_decode(' | cut -d\":\" -f1; exit"

 echo " :: <?php \$array = array( > ";
 ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo sh -c 'grep -rnw ${FOLDER} -e \"<?php \\\$array = array(\" | cut -d\":\" -f1 ${DELETE}'; exit"
 echo " :: mail(stripslashes( > ";
 ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo sh -c 'grep -rnw ${FOLDER} -e \"mail(stripslashes(\" | cut -d\":\" -f1 ${DELETE}'; exit"
 echo " :: <?php @array_diff_ukey( > ";
 ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo sh -c 'grep -rnw ${FOLDER} -e \"<?php @array_diff_ukey(\" | cut -d\":\" -f1 ${DELETE}'; exit"
 echo " :: \$_REQUEST[chr( > ";
 ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo sh -c 'grep -rnw ${FOLDER} -e \"\\\$_REQUEST\[chr(\" | cut -d\":\" -f1 ${DELETE}'; exit"
 echo " :: <?php \$GLOBALS[ > ";
 ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo sh -c 'grep -rnw ${FOLDER} -e \"<?php \\\$GLOBALS\\[\" | cut -d\":\" -f1 ${DELETE}'; exit"

 # New backdoors
 echo " :: eval(\\$\\{ > ";
 ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo sh -c 'grep -rnw ${FOLDER} -e \"eval(\\\${\" | cut -d\":\" -f1 ${DELETE}'; exit"
 echo " :: isset(\${ > ";
 ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo sh -c 'grep -rnw ${FOLDER} -e \"isset(\\\${\" | cut -d\":\" -f1 ${DELETE}'; exit"

 echo " :: PhpReverseProxy > ";
 ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo sh -c 'grep -rnw ${FOLDER} -e \"PhpReverseProxy\" | cut -d\":\" -f1 ${DELETE}'; exit"
 echo " :: str_rot13 > ";
 ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo sh -c 'grep -rnw ${FOLDER} -e \"str_rot13(\" | cut -d\":\" -f1 ${DELETE}'; exit"
 echo " :: @set_time_limit(0); > ";
 ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo sh -c 'grep -rnw ${FOLDER} -e \"@set_time_limit(0);\" | cut -d\":\" -f1 ${DELETE}'; exit"
 echo " :: strripos(@sha1( > ";
 ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo sh -c 'grep -rnw ${FOLDER} -e \"strripos(@sha1(\" | cut -d\":\" -f1 ${DELETE}'; exit"
 echo " :: @assert( >";
 ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo sh -c 'grep -rnw ${FOLDER} -e \"@assert(\" | cut -d\":\" -f1 ${DELETE}'; exit"
 echo " :: made-in-china.com >";
 ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo sh -c 'grep -rnw ${FOLDER} -e \"made-in-china.com\" | cut -d\":\" -f1 ${DELETE}'; exit"

 echo " :: trim(curl_exec(\\$ch)) >";
 ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo sh -c 'grep -rnw ${FOLDER} -e \"trim(curl_exec(\\\$ch))\" | cut -d\":\" -f1 ${DELETE}'; exit"


 echo " :: function.*for.*strlen.*isset > ";
 ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo sh -c 'egrep -Rl \"function.*for.*strlen.*isset\" ${FOLDER} ${DELETE}'; exit"
	#
	#
	# WORDPRESS BASH SCRIPT TO CLEAN BACKDOOR FILES
	#
	#

	DOMAIN=$1
	FOLDER=$2

	AWS_KEYFILE=~/aws.pem

	if [ "$3" == "--delete" ]; then
	DELETE=" \| tr \"\\n\" \"\\000\" \| xargs -0 rm"
	else
	DELETE=""
	fi

	echo " :: FilesMan"
	ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo sh -c 'grep -rnw ${FOLDER} -e \"FilesMan\" \| cut -d\":\" -f1 ${DELETE}'; exit"
	echo " :: \"base64_decode\";return > ";
	ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo sh -c 'grep -rnw ${FOLDER} -e \"\\\"base64_decode\\\";return\" \| cut -d\":\" -f1 ${DELETE}'; exit"
	echo " :: ; \$GLOBALS > ";
	ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo sh -c 'grep -rnw ${FOLDER} -e \"; \\\$GLOBALS\" \| cut -d\":\" -f1 ${DELETE}'; exit"
	echo " :: <?php \${\" > ";
	ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo sh -c 'grep -rnw ${FOLDER} -e \"<?php \\\${\" \| cut -d\":\" -f1 ${DELETE}'; exit"

	#ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo grep -rnw ${FOLDER} -e 'return base64_decode(' \| cut -d\":\" -f1; exit"

	echo " :: <?php \$array = array( > ";
	ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo sh -c 'grep -rnw ${FOLDER} -e \"<?php \\\$array = array(\" \| cut -d\":\" -f1 ${DELETE}'; exit"
	echo " :: mail(stripslashes( > ";
	ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo sh -c 'grep -rnw ${FOLDER} -e \"mail(stripslashes(\" \| cut -d\":\" -f1 ${DELETE}'; exit"
	echo " :: <?php @array_diff_ukey( > ";
	ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo sh -c 'grep -rnw ${FOLDER} -e \"<?php @array_diff_ukey(\" \| cut -d\":\" -f1 ${DELETE}'; exit"
	echo " :: \$_REQUEST[chr( > ";
	ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo sh -c 'grep -rnw ${FOLDER} -e \"\\\$_REQUEST\[chr(\" \| cut -d\":\" -f1 ${DELETE}'; exit"
	echo " :: <?php \$GLOBALS[ > ";
	ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo sh -c 'grep -rnw ${FOLDER} -e \"<?php \\\$GLOBALS\\[\" \| cut -d\":\" -f1 ${DELETE}'; exit"

	# New backdoors
	echo " :: eval(\\$\\{ > ";
	ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo sh -c 'grep -rnw ${FOLDER} -e \"eval(\\\${\" \| cut -d\":\" -f1 ${DELETE}'; exit"
	echo " :: isset(\${ > ";
	ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo sh -c 'grep -rnw ${FOLDER} -e \"isset(\\\${\" \| cut -d\":\" -f1 ${DELETE}'; exit"

	echo " :: PhpReverseProxy > ";
	ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo sh -c 'grep -rnw ${FOLDER} -e \"PhpReverseProxy\" \| cut -d\":\" -f1 ${DELETE}'; exit"
	echo " :: str_rot13 > ";
	ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo sh -c 'grep -rnw ${FOLDER} -e \"str_rot13(\" \| cut -d\":\" -f1 ${DELETE}'; exit"
	echo " :: @set_time_limit(0); > ";
	ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo sh -c 'grep -rnw ${FOLDER} -e \"@set_time_limit(0);\" \| cut -d\":\" -f1 ${DELETE}'; exit"
	echo " :: strripos(@sha1( > ";
	ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo sh -c 'grep -rnw ${FOLDER} -e \"strripos(@sha1(\" \| cut -d\":\" -f1 ${DELETE}'; exit"
	echo " :: @assert( >";
	ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo sh -c 'grep -rnw ${FOLDER} -e \"@assert(\" \| cut -d\":\" -f1 ${DELETE}'; exit"
	echo " :: made-in-china.com >";
	ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo sh -c 'grep -rnw ${FOLDER} -e \"made-in-china.com\" \| cut -d\":\" -f1 ${DELETE}'; exit"

	echo " :: trim(curl_exec(\\$ch)) >";
	ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo sh -c 'grep -rnw ${FOLDER} -e \"trim(curl_exec(\\\$ch))\" \| cut -d\":\" -f1 ${DELETE}'; exit"


	echo " :: function.for.strlen.*isset > ";
	ssh -i ${AWS_KEYFILE} ubuntu@${DOMAIN} "sudo sh -c 'egrep -Rl \"function.for.strlen.*isset\" ${FOLDER} ${DELETE}'; exit"