Last active
August 29, 2018 07:32
-
-
Save CodeBrauer/640297bbfffa2f2bd96e to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# ============================================================================== | |
# Don't run this directly! | |
# Read the script and copy'n'paste the commands you need. | |
# ============================================================================== | |
# by CodeBrauer <codebrauer@gmail.com> 2017 v2.0.1 | |
cd hacked_website/public_html/ | |
# ============ Step 0) ============ | |
#> Do a backup! If you have to use this script, it's clear you have no backups, | |
#> otherwise you would just restore a clean backup. | |
#> So do it now, you never know... | |
#> This will create a backup in the parrent dir so nobody could download it | |
zip -r ../backup.zip . -r | |
unzip -l ../backup.zip # check zip is not broken (as I said, you never know...) | |
# ============ Step 1) ============ | |
#> Scan with clamAV - this will find any trojans/viruses or anything else that | |
#> could be sent to your visitors | |
clamscan -ir . | |
# scan for malicous files | |
clamdscan --stream --infected | |
# ============ Step 2) ============ | |
#> Download clean WordPress with your installed version and replace the old core | |
#> files with clean files (you can check the checksums manually if you want) | |
TMP_WP_VERSION=$(grep '\$wp_version \=' wp-includes/version.php | cut -d \' -f2) | |
wget "https://wordpress.org/wordpress-$TMP_WP_VERSION.zip" -O "wp.zip" | |
unzip "wp.zip" && cp -al wordpress/* . && rm -r wordpress/ wp.zip # macOS | |
unzip "wp.zip" && cp -rf wordpress/* . && rm -r wordpress/ wp.zip # Linux | |
# ============ Step 3) ============ | |
#> Find infected PHP files (especially your plugins & theme) | |
#> Watch out, there are some core files/libraries in WordPress that actually use | |
#> this functions/chars - not every file is evil. | |
# find last modified files | |
find $1 -type f -print0 | xargs -0 stat --format '%Y :%y %n' | sort -nr | cut -d: -f2- | head | |
# find all files that use this evil functions | |
find . -type f -name '*.php' | xargs grep -l "eval *(" --color | |
find . -type f -name '*.php' | xargs grep -l "gzinflate *(" --color | |
# find all files with hex-style content (x29 = ")", x3B = ";") | |
find . -type f -name '*.php' | xargs grep -il x29 --color | |
find . -type f -name '*.php' | xargs grep -il x3B --color | |
# ============ Step 4) ============ | |
#> Fix files and directories that are maybe your problem | |
# find silly permed directories | |
find . -type d -perm 0777 | |
# fix permissions and owner (edit if needed) | |
chown www-data:www-data -R * # Let Apache/your webserver-user be the owner | |
find . -type d -exec chmod 755 {} \; # Change directory permissions rwxr-xr-x | |
find . -type f -exec chmod 644 {} \; # Change file permissions rw-r--r-- | |
chmod 640 wp-config.php # Only you & the group should see the wp-config.php | |
# ============ Step 5) ============ | |
#> find bad htaccess tricks | |
#> check if somebody appends malicous javascript to your pages | |
find . -type f -name '\.htaccess' | xargs grep -i auto_prepend_file; | |
find . -type f -name '\.htaccess' | xargs grep -i auto_append_file; | |
find . -type f -name '\.htaccess' | xargs grep -i http; | |
# ============ Step 6) ============ | |
#> Search for hidden PHP files in uploads (e.g. php files named jpg) | |
find wp-content/uploads -type f -name '*.php' | |
find wp-content/uploads -type f | xargs grep -i php | |
find wp-content/uploads -type f -iname '*.jpg' | xargs grep -i php |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment