Infection Repair

disinfect.php

<?php

// Store a list of infected files
$infected = array();
$unrepairable = array();

echo "\nScanning for infected files in the current directory...\n\n";

// Scan all infected files in the current directory and strip out the infected line
foreach(new RecursiveIteratorIterator(
        new RecursiveDirectoryIterator(realpath(dirname(__FILE__)), RecursiveDirectoryIterator::SKIP_DOTS),
        RecursiveIteratorIterator::SELF_FIRST
    ) as $file => $meh) {
    if(pathinfo($file, PATHINFO_EXTENSION) == 'php') {
        if($f = fopen($file, 'r+')) {
            $line = fgets($f);

            // Detect infection
            if(substr($line, 0, 17) == "<?php \$gyhweuqbjh") {
                echo "\nInfected: {$file}";
                $infected[] = $file;
            }

            fclose($f);
        }
    }
    else {
        echo ".";
    }
}

echo "\n\n";

echo count($infected) . " infected files found representing approximately " . ceil(12970 * count($infected) / 1024) . " KB of extra disk space...attempting to repair these files\n";

// Repair infected files
foreach($infected as $file) {
    if(!is_writable($file)) {
        echo "\nCould not repair " . basename($file);
        $unrepairable[] = $file;
    }
    else {
        $contents = file($file);
        $contents[0] = preg_replace('/<\?php \$gyhweuqbjh.*?\?>/', "", $contents[0]);
        if(!$contents[0]) {
            unset($contents[0]);
        }

        file_put_contents($file, $contents);
        echo "\nRepaired {$file}";
    }
}

echo "\n\nThere were " . count($unrepairable) . " unrepaired files";
echo "\n\n";