Skip to content

Instantly share code, notes, and snippets.

@mrl22
Last active December 3, 2024 18:28
Show Gist options
  • Save mrl22/fc3869f21730ddae0855b1e92ac28af9 to your computer and use it in GitHub Desktop.
Save mrl22/fc3869f21730ddae0855b1e92ac28af9 to your computer and use it in GitHub Desktop.
Remove WordPress Virus Malware PHP basename() include_once()
if ( file_exists( plugin_dir_path( __FILE__ ) . '/.' . basename( plugin_dir_path( __FILE__ ) ) . '.php' ) ) { 
    include_once( plugin_dir_path( __FILE__ ) . '/.' . basename( plugin_dir_path( __FILE__ ) ) . '.php' ); 
}

You are probably here because you Google'd the above PHP code.

I searched Google, but couldn't find a working solution, so I wrote one!

My understanding of this virus / malware is that it creates a lot of publicly accessible files within WordPress which are an obfuscated file manager for scumbags to access anything they want inside WordPress. These files also reinfect other WordPress files when ran.

The obfuscated php files are included using include_once() in key wordpress files so that it is constantly being ran when people visit your website, making it is hard to remove.

The Process

Uploade the attached clean.php file into your home or wordpress directory and run to find all infected files.

php clean.php

clean.php will display all injected files and let you know that it cleaned them. It will run twice to make sure it got all it could find.

You can do this on live. I have used this around 6 times now and it does not break the website, but I aways suggest you make a backup first.

Your site should now be fixed!

<?php
echo 'Scanning ... ';
scanPhp(__DIR__);
echo ' DONE!' . PHP_EOL;
echo PHP_EOL.'Running a second time to make sure. If no infected files are found, you\'re good! ... ';
scanPhp(__DIR__);
echo ' DONE!' . PHP_EOL;
function scanPhp($dir)
{
$filter = '/\.php$/';
$files = scandir($dir);
foreach ($files as $key => $value) {
$path = realpath($dir . DIRECTORY_SEPARATOR . $value);
if (!is_dir($path)) {
if (empty($filter) || preg_match($filter, $path)) cleanFile($path);
} elseif ($value != "." && $value != "..") {
scanPhp($path);
}
}
}
function cleanFile($path)
{
$file = file_get_contents($path);
$string = "md5( "."sha1( md5(";
if (strripos($file, $string) !== false) {
echo 'Found in: ' . $path . ' ... ';
unlink($path);
echo 'REMOVED!' . PHP_EOL;
return;
}
$string = "if ( file_exists( plugin_dir_path( __FILE__ ) . '/.' . basename( plugin_dir_path( __FILE__ ) ) . '.php' ) ) {\r\n include_once( plugin_dir_path( __FILE__ ) . '/.' . basename( plugin_dir_path( __FILE__ ) ) . '.php' );\r\n}\r\n";
if (strripos($file, $string) !== false) {
echo 'Found in: ' . $path . ' ... ';
$file = str_replace($string, '', $file);
file_put_contents($path, $file);
echo 'CLEANED!' . PHP_EOL;
}
}
@Topcityvibe
Copy link

How can I run it live? could you provide screenshot?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment