Last active
December 7, 2023 20:18
-
-
Save unculturedswine/9ed5805647c6ed3017fe59e21575cd1a to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## Potentially (Hopefully!) block the .*.ico malware that keeps infecting everything | |
## Those files contain malicious PHP that injects all sorts of garbage all around the server | |
## To see if you have any .ico files run this command: find / -name ".*.ico" -print | |
## This command will search the full server | |
## The files will be hidden and look something like .u834R9u4.ico | |
## Ultimately these will create random themes and/or plugins in your site folders that send spam | |
## This is easy to remove (just delete) but it's a PITA as they just keep coming back within days | |
## If you'd like to bulk delete them all, run this command: find /var/www -name ".*.ico" -print0 | xargs -0 rm | |
## This command will search only the /var/www folder and sub-folder | |
## Add this snippet to /etc/nginx/common/locations-wo.conf to *potentially* stop these files from doing anything | |
## It'll block the execution of all .ico files except favicon.ico | |
location ~* ^/(?!favicon\.ico$).*\.ico$ { | |
deny all; | |
access_log off; | |
log_not_found off; | |
} | |
## I'm running NGINX, so there's no need for .htaccess files, and yet these also appear | |
## So let's throw this in for good measure | |
location ~* /\.htaccess { | |
deny all; | |
access_log off; | |
log_not_found off; | |
} | |
## Found malicious code in a .oti file, whatever that is | |
location ~* \.oti$ { | |
deny all; | |
access_log off; | |
log_not_found off; | |
} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This article is much more thorough for hunting down all the malicious files: https://medium.com/@mtoydev/cleaning-an-infected-wordpress-website-ico-virus-3f2e67d681bf