Skip to content

Instantly share code, notes, and snippets.

@rbarros
Created February 12, 2015 20:29
Show Gist options
  • Save rbarros/2ca422bb3ebcc7592a01 to your computer and use it in GitHub Desktop.
Save rbarros/2ca422bb3ebcc7592a01 to your computer and use it in GitHub Desktop.
This script remove malware of PHP files.
#!/bin/bash
#
# This script remove malware of PHP files.
#
# In this case it will remove some malicious code
# from all Wordpress PHP files that is at top of
# every PHP file.
#
# The string at the top of every file is:
#
# <?php if(!isset($GLOBALS["\x61\156\x75\156\x61"])) { $ua=strtolower($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]); if ((! strstr($ua,"\x6d\163\x69\145")) and (! strstr($ua,"\x72\166\x3a\61\x31"))) $GLOBALS["\x61\156\x$
#
# This script tries to find the string inside $_SERVER
# of the above line at the top of the files to determine
# if the file is infected. If you run the script and
# nothing seems to be infected but you suspect and you
# want to be sure, just open any PHP of Wordpress and
# check if the malicious line code is present. If is
# present but the script did not detect, it is because
# the content inside $_SERVER may be diferent.
# In these cases, just replace in this script the string
# in the -e parameter of grep line with the content of
# $_SERVER found in your PHP (remember to escape
# the \ with \\\\) and run again this removal script.
#
#
# JavocSoft 2014
#
if [[ -z "$1" ]]; then
echo "Directory where to find is required."
else
grep -rnwl $1 --include \*.php -e "\\\\x48\\\\124\\\\x54\\\\120\\\\x5f\\\\125\\\\x53\\\\105\\\\x52\\\\137\\\\x41\\\\107\\\\x45\\\\116\\\\x54" | while read -r filename ; do
if [[ ! -z "$2" ]]; then
echo "Found file $filename. Cleaning..."
awk 'BEGIN {matches=0} matches < 1 && /1/ { sub(/^.*<?php/,"<?php"); matches++ } { print $0 }' $filename > $filename.purged
mv $filename $filename.bck
mv $filename.purged $filename
else
echo "Found file $filename."
fi
done
echo "Done."
fi
#!/bin/bash
#
# This script remove malware of PHP files.
#
# In this case it will remove some malicious code
# from all Wordpress PHP files that is at top of
# every PHP file.
#
# The string at the top of every file is:
#
# <?php $fcuiewotzw = '}{;#)tutjyf%x5c%x7860opjudovg)!gj!|!*msv%x5c%x7825)}k~9.-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt)
#
# This script tries to find the string inside $_SERVER
# of the above line at the top of the files to determine
# if the file is infected. If you run the script and
# nothing seems to be infected but you suspect and you
# want to be sure, just open any PHP of Wordpress and
# check if the malicious line code is present. If is
# present but the script did not detect, it is because
# the content inside $_SERVER may be diferent.
# In these cases, just replace in this script the string
# in the -e parameter of grep line with the content of
# $_SERVER found in your PHP (remember to escape
# the \ with \\\\) and run again this removal script.
#
#
# Ramon Barros 2015
#
if [[ -z "$1" ]]; then
echo "Directory where to find is required."
else
grep -rnwl $1 --include \*.php -e "\\\\x20\\\\57\\\\x2a\\\\40\\\\x65\\\\142\\\\x6e\\\\162\\\\x69\\\\143\\\\x75\\\\154" | while read -r filename ; do
if [[ ! -z "$2" ]]; then
echo "Found file $filename. Cleaning..."
awk 'BEGIN {matches=0} matches < 1 && /1/ { sub(/^((<\?)php(.*)(\?>))/,""); matches++ } { print $0 }' $filename > $filename.purged
mv $filename $filename.bck2
mv $filename.purged $filename
else
echo "Found file $filename."
fi
done
echo "Done."
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment