Created
August 7, 2017 21:32
-
-
Save ignas-sakalauskas/35d636bc4a338251b900f57317090b6e to your computer and use it in GitHub Desktop.
PHP.Anuna removal from WordPress
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
// Safety check | |
$CLEAN_MODE_ON = false; | |
$WORM_SIGNATURE = "2351,36,5581,28,1864,50,2418,35,1827,37,3770,62,3104,41,3975,39,5703,40,3950,25,2004,59,2739,32,1187,37,1914,30,2922"; | |
echo "<div>IMPORTANT! Make sure you take your site offline and make a BACKUP of ALL files before switching on clean mode!</div>"; | |
echo "<div>Listing all PHP files.</div>"; | |
$di = new RecursiveDirectoryIterator(__DIR__,RecursiveDirectoryIterator::SKIP_DOTS); | |
$it = new RecursiveIteratorIterator($di); | |
foreach($it as $file) { | |
if (pathinfo($file, PATHINFO_EXTENSION) == "php" && pathinfo($file, PATHINFO_BASENAME) != basename(__FILE__) ) { | |
$fileContents = file_get_contents($file, FILE_USE_INCLUDE_PATH); | |
if (preg_match('/<\?php.+?\?>/ms', $fileContents, $matches, PREG_OFFSET_CAPTURE)){ | |
// Check for the first match only - assume worm's php code block is the first one in the file. | |
$firstElem = $matches[0][0]; | |
if(strpos($firstElem, $WORM_SIGNATURE) > 1){ | |
echo "<div>" . $file . "; " . htmlentities(substr($firstElem, 0, 50) . " ........... " . substr($firstElem, strlen($firstElem)-50, strlen($firstElem))) . "</div>", PHP_EOL; | |
if($CLEAN_MODE_ON){ | |
echo "<div>Cleaning the file...</div>"; | |
$cleanedFileContents = str_replace($firstElem, '', $fileContents); | |
file_put_contents($file, $cleanedFileContents); | |
echo "<div>File cleaned!</div>"; | |
} | |
} | |
} | |
} | |
} | |
echo "<div>Done. Exiting...</div>"; | |
?> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment