Thanks to MailPoet and Revolution Slider my websites run over multiple attaks.
I noticed problems mainly because, when I enter in the plugins’ list, a lot of errors like “Plugin ABC deactivated..” come out.
This because the plugin main file was not starting with its regular comment, but with the malevolent code.
A lot of files (1000+) was starting like this
Others (50+) was starting like this, and other random vars
Tired of this haks I wrote a small .cs colsole for cleaning this files.
Other websites suggest a .sh script but I’m a Windows user and I’d use its tools.
Feel free to use/edit/whatever this code:
using System;
using System.Text;
using System.IO;
using System.Text.RegularExpressions;
namespace ConsoleApplicationCleanWordpress
{
class Program
{
static Regex re = new Regex(@"^<\?php\sif\(\!isset\(\$GLOBALS\[" + "\"" + @"\\x61\\156\\x75\\156\\x61" + "\"" + @"\]\)\)\s.*\s\?>");
//static Regex re = new Regex(@"^<\?php.*(\#\-\!OVMM\*\<%x22%51%x29%51%x29%73"", NULL\);).*\s\?>");
static int count = 0;
static void Main(string[] args)
{
cleanFolder(@"C:\Users\max\Desktop\public_html");
Console.WriteLine(count + " infecetd files.");
Console.WriteLine("THE END!");
Console.ReadLine();
}
private static void cleanFolder(string folder)
{
var di = new DirectoryInfo(folder);
foreach (var subfolder in di.GetDirectories())
cleanFolder(subfolder.FullName);
/*
foreach (var file in di.GetFiles())
{
if (file.FullName.ToLower().EndsWith(".php"))
cleanFile(file);
else
file.Delete(); // don't need to upload it anymore (css, js, big files, etc)
}
*/
foreach (var file in di.GetFiles("*.php"))
cleanFile(file);
}
private static void cleanFile(FileInfo file)
{
var content = File.ReadAllText(file.FullName);
if (re.IsMatch(content))
{
var orig = file.FullName;
Console.WriteLine(++count + " Infected: " + orig);
file.MoveTo(orig + ".bk");
File.WriteAllText(orig, re.Replace(content, ""));
}
}
}
}
Other resources: