Created
November 12, 2013 19:15
-
-
Save leobaiano/7436959 to your computer and use it in GitHub Desktop.
Limpando arquivos infectados por malware no WP eval(gzinflate(base64_decode EOF;
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
/** | |
* Shared Linux Hack Quick Fix | |
* ============================= | |
* @author theandystratton | |
* @url http://theandystratton.com/2010/godaddy-shared-linux-hosting-hack-fix | |
* | |
* THIS SCRIPT IS DISTRIBUTED AS IS WITH NO LICENSE, WARRANTY OR LIABILITY. RUN AT YOUR OWN RISK. | |
* | |
* BACK UP YOUR FILES BEFORE RUNNING THIS SCRIPT. | |
* | |
* Now that that's out of the way, let's get started: | |
* | |
* 1. Back up all of your files on your web server. You should be doing this anyway ;] | |
* 2. Upload this script to your document root. | |
* 3. Visit the script in a browser. | |
* 4. Review the amount of files you need to change/run through. | |
* 5. Press "Fix files" at the bottom of the page | |
* 6. For each file fixed, you'll get a confirmation message. | |
* | |
*/ | |
error_reporting(E_ALL); | |
// increase memory limit | |
ini_set('memory_limit', '256M'); | |
// no time limit | |
set_time_limit(0); | |
// partial string to search first line for | |
$hack_str = <<<EOF | |
<?php eval(gzinflate(base64_decode | |
EOF; | |
// Change $the_dir to the relative path you'd like to start searching/fixing in. | |
// You can use this if the script is timing out (or just move the script into subdirectories). | |
$the_dir = './'; | |
$initial_dir = realpath(dirname(__FILE__)); | |
function get_infected_files( $dir ) { | |
global $hack_str; | |
$dir = rtrim($dir, DIRECTORY_SEPARATOR) . DIRECTORY_SEPARATOR; | |
$d = opendir($dir); | |
$files = array(); | |
if ( $d ) { | |
while ( $f = readdir($d) ) { | |
$path = $dir . $f; | |
if ( is_dir($path) ) { | |
if ( $f != '.' && $f != '..' ) { | |
$more_files = get_infected_files($path); | |
if ( count($more_files) > 0 ) { | |
$files[] = $more_files; | |
} | |
} | |
} | |
else { | |
if ( strpos($f, '.php') !== false ) { | |
$contents = explode("\n", file_get_contents($path)); | |
if ( strpos($contents[0], $hack_str, 0) !== false ) { | |
$files[] = $path; | |
} | |
} | |
} | |
} | |
} | |
return $files; | |
} | |
function print_files( $files ) { | |
if ( count($files) > 0 ) { | |
foreach ( $files as $file ) { | |
if ( is_array($file) ) { | |
print_files($file); | |
} | |
else { | |
echo $file . '<br />'; | |
} | |
} | |
} | |
} | |
function fix_files( $files ) { | |
global $hack_str; | |
foreach ( $files as $file ) { | |
if ( is_array($file) ) { | |
fix_files($file); | |
} | |
else { | |
$contents = explode("\n", file_get_contents($file)); | |
unset($contents[0]); | |
$f = fopen($file, 'w'); | |
if ( $f ) { | |
$the_content = implode($contents, "\n"); | |
$the_content = preg_replace('/^\\s/', '<?php // Clear ?>', $the_content); // remove any leading whitespace. | |
fwrite($f, $the_content, strlen($the_content)); | |
fclose($f); | |
echo "Removed first line containing <code>" . htmlentities($hack_str) ."</code>from $file...<br />"; | |
} | |
} | |
} | |
} | |
function get_count( $files ) { | |
$count = count($files); | |
foreach ( $files as $file ) { | |
if ( is_array($file) ) { | |
$count--; // remove this because it's a directory | |
$count += get_count($file); | |
} | |
else { | |
$count ++; | |
} | |
} | |
return $count / 2; | |
} | |
?> | |
<h2><?php echo get_count($files); ?> Infected Files in <?php echo $the_dir; ?></h2> | |
<?php | |
$files = get_infected_files($the_dir); | |
fix_files( $files ); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment