Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
PHP.Anuna removal from WordPress
<?php
// Safety check
$CLEAN_MODE_ON = false;
$WORM_SIGNATURE = "2351,36,5581,28,1864,50,2418,35,1827,37,3770,62,3104,41,3975,39,5703,40,3950,25,2004,59,2739,32,1187,37,1914,30,2922";
echo "<div>IMPORTANT! Make sure you take your site offline and make a BACKUP of ALL files before switching on clean mode!</div>";
echo "<div>Listing all PHP files.</div>";
$di = new RecursiveDirectoryIterator(__DIR__,RecursiveDirectoryIterator::SKIP_DOTS);
$it = new RecursiveIteratorIterator($di);
foreach($it as $file) {
if (pathinfo($file, PATHINFO_EXTENSION) == "php" && pathinfo($file, PATHINFO_BASENAME) != basename(__FILE__) ) {
$fileContents = file_get_contents($file, FILE_USE_INCLUDE_PATH);
if (preg_match('/<\?php.+?\?>/ms', $fileContents, $matches, PREG_OFFSET_CAPTURE)){
// Check for the first match only - assume worm's php code block is the first one in the file.
$firstElem = $matches[0][0];
if(strpos($firstElem, $WORM_SIGNATURE) > 1){
echo "<div>" . $file . "; " . htmlentities(substr($firstElem, 0, 50) . " ........... " . substr($firstElem, strlen($firstElem)-50, strlen($firstElem))) . "</div>", PHP_EOL;
if($CLEAN_MODE_ON){
echo "<div>Cleaning the file...</div>";
$cleanedFileContents = str_replace($firstElem, '', $fileContents);
file_put_contents($file, $cleanedFileContents);
echo "<div>File cleaned!</div>";
}
}
}
}
}
echo "<div>Done. Exiting...</div>";
?>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.