{ Dev Farm }

Web & Windows Development

WordPress and multiple malwares

| 0 commenti

Thanks to MailPoet and Revolution Slider my websites run over multiple attaks.

I noticed problems mainly because, when I enter in the plugins’ list, a lot of errors like “Plugin ABC deactivated..” come out.
This because the plugin main file was not starting with its regular comment, but with the malevolent code.

A lot of files (1000+) was starting like this

Others (50+) was starting like this, and other random vars

Tired of this haks I wrote a small .cs colsole for cleaning this files.
Other websites suggest a .sh script but I’m a Windows user and I’d use its tools.

Feel free to use/edit/whatever this code:

using System;
using System.Text;
using System.IO;
using System.Text.RegularExpressions;

namespace ConsoleApplicationCleanWordpress
    class Program

        static Regex re = new Regex(@"^<\?php\sif\(\!isset\(\$GLOBALS\[" + "\"" + @"\\x61\\156\\x75\\156\\x61" + "\"" + @"\]\)\)\s.*\s\?>");

        //static Regex re = new Regex(@"^<\?php.*(\#\-\!OVMM\*\<%x22%51%x29%51%x29%73"", NULL\);).*\s\?>");

        static int count = 0;

        static void Main(string[] args)

            Console.WriteLine(count + " infecetd files.");
            Console.WriteLine("THE END!");


        private static void cleanFolder(string folder)
            var di = new DirectoryInfo(folder);

            foreach (var subfolder in di.GetDirectories())

            foreach (var file in di.GetFiles())
                if (file.FullName.ToLower().EndsWith(".php"))
                    file.Delete(); // don't need to upload it anymore (css, js, big files, etc)

            foreach (var file in di.GetFiles("*.php"))


        private static void cleanFile(FileInfo file)
            var content = File.ReadAllText(file.FullName);
            if (re.IsMatch(content))
                var orig = file.FullName;
                Console.WriteLine(++count + " Infected: " + orig);
                file.MoveTo(orig + ".bk");
                File.WriteAllText(orig, re.Replace(content, ""));

Other resources:

Lascia un commento

I campi obbligatori sono contrassegnati con *.