juslintek/virus_fix.sh

## virus_fix.sh
#!/bin/bash

## You will need pwgen in order for this to work

echo "Enter your webroot directory"
webrootdir=/home/admin/web/
echo "For example where domain names and public html directories are located, like here: $webrootdir: "
read webrootdir;
leftovers=no
echo "Check for leftovers only? (yes/no) - default $leftovers"
read leftovers;

echo "Spammers";
grep cwd /var/log/exim/main.log | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

for domaindir in $(ls $webrootdir)
do
    webdir="$webrootdir$domaindir/public_html";
    echo $webdir;
    cd $webdir;
    find . -name "*.php"  -print0 | xargs -0 egrep -l 'eval\(base64_decode\(' >> ../infectedfiles.txt
    if [ "$leftovers" = "no" ]
    then
        multisite=$(grep "'MULTISITE'" wp-config.php | cut -d',' -f2 | sed -r "s/[\'\)\;]+//g" | sed 's/\s//g');
        dbname=$(grep "DB_NAME" wp-config.php | cut -d',' -f2 | sed -r "s/['\)\;]+//g" | sed 's/\s//g');
        dbuser=$(grep "DB_USER" wp-config.php | cut -d',' -f2 | sed -r "s/[\'\)\;]+//g" | sed 's/\s//g');
        dbprefix=$(grep "\$table_prefix" wp-config.php | cut -d'=' -f2 | sed -r "s/[\'\)\;\"]+//g" | sed 's/\s//g');
        type pwgen > /dev/null 2>&1 || { sudo yum install pwgen; }
        dbpass=$(pwgen -ysBv 15 1);

        echo "Database name: $dbname";
        echo "Database user: $dbuser";
        echo "Database password: $dbpass";

        sudo /usr/local/vesta/bin/v-change-database-password admin $dbname $dbpass
        if [ "$multisite" = "true" ]
        then
            domain=$(grep "DOMAIN_CURRENT_SITE" wp-config.php | cut -d',' -f2 | sed -r "s/[\'\)\;]+//g" | sed 's/\s//g');
        fi

        mv wp-content/ ..;
        for uploadsdir in $(ls ../wp-content/uploads/)
        do

            if [[ "$uploadsdir" =~ ^[0-9]+$ ]]
            then
                find ../wp-content/uploads/$uploadsdir -type f -name "*.php" -o -name "*.js" -o -name "*.phtml" -exec rm -rf {} \; -print
            fi

            if [[ "$uploadsdir" = "sites" ]]
            then
                for sitesdir in $(ls ../wp-content/uploads/$uploadsdir/)
                do
                    for sitedatedir in $(ls ../wp-content/uploads/$uploadsdir/$sitesdir/)
                    do
                        if [[ "$sitedatedir" =~ ^[0-9]+$ ]]
                        then
                            find ../wp-content/uploads/$uploadsdir/$sitesdir/$sitedatedir -type f -name "*.php" -o -name "*.js" -o -name "*.phtml" -exec rm -rf {} \; -print
                        fi
                    done
                done
            fi
        done
        rm -rf *;
        rm -rf .htaccess;
        rm -rf .ftpquota;
        rm -rf .user.ini;
        wp core download;
        rm -rf wp-content;
        mv ../wp-content .;
        if [ "$multisite" = "true" ]
        then
            wp config create --dbprefix=$dbprefix --dbname=$dbname --dbuser=$dbuser --dbpass=$dbpass --force --extra-php << PHP
define('WP_MEMORY_LIMIT', '256M');
define('WP_MAX_MEMORY_LIMIT', '512M');
define( 'SUNRISE', 'on' );
define( 'WP_ALLOW_MULTISITE', true );
define( 'MULTISITE', true );
define( 'SUBDOMAIN_INSTALL', false );
define( 'DOMAIN_CURRENT_SITE', '$domain' );
define( 'PATH_CURRENT_SITE', '/' );
define( 'SITE_ID_CURRENT_SITE', 1 );
define( 'BLOG_ID_CURRENT_SITE', 1 );
PHP
        else
            wp config create --dbprefix=$dbprefix --dbname=$dbname --dbuser=$dbuser --dbpass=$dbpass --force --extra-php << PHP
    define('WP_MEMORY_LIMIT', '256M');
    define('WP_MAX_MEMORY_LIMIT', '512M');
PHP
        fi
        wp theme install $(wp theme list --field=name) --force;
        if wp tgmpa-plugin info &> /dev/null; then
            wp tgmpa-plugin install --all --force
        fi
        wp plugin install $(wp plugin list --field=name) --force;
    fi
    wp plugin update-all
    wp theme update-all

    echo "Not cleaned recently modified files";
    find . -mtime -2 -ls;
    echo "Base 64 encryption using files";
    grep -ril base64 *;
    echo "Probably infected leftovers"
    find wp-content/uploads/ -type f -not -name "*.jpg" -not -name "*.png" -not -name "*.gif" -not -name "*.jpeg"
done
	#!/bin/bash

	## You will need pwgen in order for this to work

	echo "Enter your webroot directory"
	webrootdir=/home/admin/web/
	echo "For example where domain names and public html directories are located, like here: $webrootdir: "
	read webrootdir;
	leftovers=no
	echo "Check for leftovers only? (yes/no) - default $leftovers"
	read leftovers;

	echo "Spammers";
	grep cwd /var/log/exim/main.log \| grep -v /var/spool \| awk -F"cwd=" '{print $2}' \| awk '{print $1}' \| sort \| uniq -c \| sort -n

	for domaindir in $(ls $webrootdir)
	do
	webdir="$webrootdir$domaindir/public_html";
	echo $webdir;
	cd $webdir;
	find . -name "*.php" -print0 \| xargs -0 egrep -l 'eval\(base64_decode\(' >> ../infectedfiles.txt
	if [ "$leftovers" = "no" ]
	then
	multisite=$(grep "'MULTISITE'" wp-config.php \| cut -d',' -f2 \| sed -r "s/[\'\)\;]+//g" \| sed 's/\s//g');
	dbname=$(grep "DB_NAME" wp-config.php \| cut -d',' -f2 \| sed -r "s/['\)\;]+//g" \| sed 's/\s//g');
	dbuser=$(grep "DB_USER" wp-config.php \| cut -d',' -f2 \| sed -r "s/[\'\)\;]+//g" \| sed 's/\s//g');
	dbprefix=$(grep "\$table_prefix" wp-config.php \| cut -d'=' -f2 \| sed -r "s/[\'\)\;\"]+//g" \| sed 's/\s//g');
	type pwgen > /dev/null 2>&1 \|\| { sudo yum install pwgen; }
	dbpass=$(pwgen -ysBv 15 1);

	echo "Database name: $dbname";
	echo "Database user: $dbuser";
	echo "Database password: $dbpass";

	sudo /usr/local/vesta/bin/v-change-database-password admin $dbname $dbpass
	if [ "$multisite" = "true" ]
	then
	domain=$(grep "DOMAIN_CURRENT_SITE" wp-config.php \| cut -d',' -f2 \| sed -r "s/[\'\)\;]+//g" \| sed 's/\s//g');
	fi

	mv wp-content/ ..;
	for uploadsdir in $(ls ../wp-content/uploads/)
	do

	if [[ "$uploadsdir" =~ ^[0-9]+$ ]]
	then
	find ../wp-content/uploads/$uploadsdir -type f -name ".php" -o -name ".js" -o -name "*.phtml" -exec rm -rf {} \; -print
	fi

	if [[ "$uploadsdir" = "sites" ]]
	then
	for sitesdir in $(ls ../wp-content/uploads/$uploadsdir/)
	do
	for sitedatedir in $(ls ../wp-content/uploads/$uploadsdir/$sitesdir/)
	do
	if [[ "$sitedatedir" =~ ^[0-9]+$ ]]
	then
	find ../wp-content/uploads/$uploadsdir/$sitesdir/$sitedatedir -type f -name ".php" -o -name ".js" -o -name "*.phtml" -exec rm -rf {} \; -print
	fi
	done
	done
	fi
	done
	rm -rf *;
	rm -rf .htaccess;
	rm -rf .ftpquota;
	rm -rf .user.ini;
	wp core download;
	rm -rf wp-content;
	mv ../wp-content .;
	if [ "$multisite" = "true" ]
	then
	wp config create --dbprefix=$dbprefix --dbname=$dbname --dbuser=$dbuser --dbpass=$dbpass --force --extra-php << PHP
	define('WP_MEMORY_LIMIT', '256M');
	define('WP_MAX_MEMORY_LIMIT', '512M');
	define( 'SUNRISE', 'on' );
	define( 'WP_ALLOW_MULTISITE', true );
	define( 'MULTISITE', true );
	define( 'SUBDOMAIN_INSTALL', false );
	define( 'DOMAIN_CURRENT_SITE', '$domain' );
	define( 'PATH_CURRENT_SITE', '/' );
	define( 'SITE_ID_CURRENT_SITE', 1 );
	define( 'BLOG_ID_CURRENT_SITE', 1 );
	PHP
	else
	wp config create --dbprefix=$dbprefix --dbname=$dbname --dbuser=$dbuser --dbpass=$dbpass --force --extra-php << PHP
	define('WP_MEMORY_LIMIT', '256M');
	define('WP_MAX_MEMORY_LIMIT', '512M');
	PHP
	fi
	wp theme install $(wp theme list --field=name) --force;
	if wp tgmpa-plugin info &> /dev/null; then
	wp tgmpa-plugin install --all --force
	fi
	wp plugin install $(wp plugin list --field=name) --force;
	fi
	wp plugin update-all
	wp theme update-all

	echo "Not cleaned recently modified files";
	find . -mtime -2 -ls;
	echo "Base 64 encryption using files";
	grep -ril base64 *;
	echo "Probably infected leftovers"
	find wp-content/uploads/ -type f -not -name ".jpg" -not -name ".png" -not -name ".gif" -not -name ".jpeg"
	done