Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
PHP.Anuna removal from WordPress
// Safety check
$CLEAN_MODE_ON = false;
$WORM_SIGNATURE = "2351,36,5581,28,1864,50,2418,35,1827,37,3770,62,3104,41,3975,39,5703,40,3950,25,2004,59,2739,32,1187,37,1914,30,2922";
echo "<div>IMPORTANT! Make sure you take your site offline and make a BACKUP of ALL files before switching on clean mode!</div>";
echo "<div>Listing all PHP files.</div>";
$di = new RecursiveDirectoryIterator(__DIR__,RecursiveDirectoryIterator::SKIP_DOTS);
$it = new RecursiveIteratorIterator($di);
foreach($it as $file) {
if (pathinfo($file, PATHINFO_EXTENSION) == "php" && pathinfo($file, PATHINFO_BASENAME) != basename(__FILE__) ) {
$fileContents = file_get_contents($file, FILE_USE_INCLUDE_PATH);
if (preg_match('/<\?php.+?\?>/ms', $fileContents, $matches, PREG_OFFSET_CAPTURE)){
// Check for the first match only - assume worm's php code block is the first one in the file.
$firstElem = $matches[0][0];
if(strpos($firstElem, $WORM_SIGNATURE) > 1){
echo "<div>" . $file . "; " . htmlentities(substr($firstElem, 0, 50) . " ........... " . substr($firstElem, strlen($firstElem)-50, strlen($firstElem))) . "</div>", PHP_EOL;
echo "<div>Cleaning the file...</div>";
$cleanedFileContents = str_replace($firstElem, '', $fileContents);
file_put_contents($file, $cleanedFileContents);
echo "<div>File cleaned!</div>";
echo "<div>Done. Exiting...</div>";
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.