Created
January 24, 2024 16:31
-
-
Save joshterrill/222f4f0df1e5b3172c6eaf3dda3eb286 to your computer and use it in GitHub Desktop.
wordpress malware removal scripts from https://hacked.codes/2022/december-2022-php-wordpress-malware-analysis/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| echo "Renaming all plugins to temporarily disable them" | |
| for d in ./wp-content/plugins/*; do | |
| if [ -d "$d" ]; then | |
| mv -- "$d" "${d}_bak" | |
| fi | |
| done | |
| echo "Removing radio.php and fox.php malware files" | |
| find . -type f -name "radio.php" -delete | |
| find . -type f -name "fox.php" -delete | |
| # get rid of .htaccess malware modifications | |
| # no indentation because space needs to be preserved | |
| # for correct match | |
| echo "Checking all .htaccess files for malicious code and parsing it out if found" | |
| for entry in $(find . -type f -name ".htaccess"); do | |
| grep -ve '<FilesMatch ".(py|exe|php)$"> | |
| Order allow,deny | |
| Deny from all | |
| </FilesMatch> | |
| <FilesMatch " | |
| Order allow,deny | |
| Allow from all | |
| </FilesMatch>' $entry > $entry.tmp && mv -f $entry.tmp $entry | |
| done | |
| # find any reference to yygpKyqbDRBS1wcA and remove the code that references it, save the leftover to a new file | |
| echo "Removing malicious references: yygpKyqbDRBS1wcA" | |
| for entry in $(find . -type f -name "index.php"); do | |
| if grep -q "yygpKyqbDRBS1wcA" <<< $(cat $entry); then | |
| echo "Found malicious code at: $entry" | |
| grep -va "yygpKyqbDRBS1wcA" $entry > $entry.tmp && mv -f $entry.tmp $entry | |
| fi | |
| done | |
| # same as above, but a different malware string | |
| echo "Removing malicious references: O_0_O_OO00" | |
| for entry in $(find . -type f -name "index.php"); do | |
| if grep -q "O_0_O_OO00" <<< $(cat $entry); then | |
| echo "Found malicious code at: $entry" | |
| grep -va "O_0_O_OO00" $entry > $entry.tmp && mv -f $entry.tmp $entry | |
| fi | |
| done | |
| # same as above, but a different malware string | |
| echo "Removing malicious references: KgO0nNK9EtqSxItUosK" | |
| for entry in $(find . -type f -name "index.php"); do | |
| if grep -q "KgO0nNK9EtqSxItUosK" <<< $(cat $entry); then | |
| echo "Found malicious code at: $entry" | |
| grep -va "KgO0nNK9EtqSxItUosK" $entry > $entry.tmp && mv -f $entry.tmp $entry | |
| fi | |
| done | |
| # same as above, but a different malware string, however | |
| # this time we want to remove the file all together if it's | |
| # a non-index.php file. And if it is an index, we'll just | |
| # remove the malicious code | |
| echo "Removing malicious references: pqJf8tE3hI91PG7jjqev9dQmruSc" | |
| for entry in $(find . -type f -name "*.php"); do | |
| if grep -q "pqJf8tE3hI91PG7jjqev9dQmruSc" <<< $(cat $entry); then | |
| cp $entry $entry.tmp.cleanup # backup files before making changes | |
| if grep -q "$entry" <<< "index.php"; then | |
| echo "Found malicious index.php file, going to parse out malicious code at: $entry" | |
| grep -va "pqJf8tE3hI91PG7jjqev9dQmruSc" $entry > $entry.tmp && mv -f $entry.tmp $entry | |
| else | |
| echo "Found malicious non-index file at $entry. Removing..." | |
| rm -rf $entry | |
| fi | |
| fi | |
| done | |
| # for good measure | |
| echo "Another pass at removing radio.php and fox.php in case they were re-added while script was running" | |
| find . -type f -name "radio.php" -delete | |
| find . -type f -name "fox.php" -delete | |
| # find . -type f -name "*.tmp.cleanup" -delete | |
| # cleanup | |
| # for entry in $(find . -type f -name "index.php"); do | |
| # if grep -zP "\<\?php\r\n\?\>" $entry; then | |
| # echo "Found code that needs to be cleaned up at: $entry" | |
| # # grep -zP -v "\<\?php\r\n\?\>" $entry > $entry.tmp && mv -f $entry.tmp $entry | |
| # fi | |
| # done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment