Skip to content

Instantly share code, notes, and snippets.

@ignas-sakalauskas

ignas-sakalauskas/worm-cleaner.php

Created August 7, 2017 21:32
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save ignas-sakalauskas/35d636bc4a338251b900f57317090b6e to your computer and use it in GitHub Desktop.
Save ignas-sakalauskas/35d636bc4a338251b900f57317090b6e to your computer and use it in GitHub Desktop.
Download ZIP
PHP.Anuna removal from WordPress
Raw
worm-cleaner.php
<?php
// Safety check
$CLEAN_MODE_ON = false;
$WORM_SIGNATURE = "2351,36,5581,28,1864,50,2418,35,1827,37,3770,62,3104,41,3975,39,5703,40,3950,25,2004,59,2739,32,1187,37,1914,30,2922";
echo "<div>IMPORTANT! Make sure you take your site offline and make a BACKUP of ALL files before switching on clean mode!</div>";
echo "<div>Listing all PHP files.</div>";
$di = new RecursiveDirectoryIterator(__DIR__,RecursiveDirectoryIterator::SKIP_DOTS);
$it = new RecursiveIteratorIterator($di);
foreach($it as $file) {
if (pathinfo($file, PATHINFO_EXTENSION) == "php" && pathinfo($file, PATHINFO_BASENAME) != basename(__FILE__) ) {
$fileContents = file_get_contents($file, FILE_USE_INCLUDE_PATH);
if (preg_match('/<\?php.+?\?>/ms', $fileContents, $matches, PREG_OFFSET_CAPTURE)){
// Check for the first match only - assume worm's php code block is the first one in the file.
$firstElem = $matches[0][0];
if(strpos($firstElem, $WORM_SIGNATURE) > 1){
echo "<div>" . $file . "; " . htmlentities(substr($firstElem, 0, 50) . " ........... " . substr($firstElem, strlen($firstElem)-50, strlen($firstElem))) . "</div>", PHP_EOL;
if($CLEAN_MODE_ON){
echo "<div>Cleaning the file...</div>";
$cleanedFileContents = str_replace($firstElem, '', $fileContents);
file_put_contents($file, $cleanedFileContents);
echo "<div>File cleaned!</div>";
}
}
}
}
}
echo "<div>Done. Exiting...</div>";
?>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment