Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the gd-bbpress-attachments domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/mxvysmpn/public_html/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the nextgen-gallery-pro domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/mxvysmpn/public_html/wp-includes/functions.php on line 6121
WordPress and multiple malwares | Wordpress and multiple malwares – { Dev Farm }

{ Dev Farm }

Web & Windows Development

WordPress and multiple malwares

| 0 commenti

Thanks to MailPoet and Revolution Slider my websites run over multiple attaks.

I noticed problems mainly because, when I enter in the plugins’ list, a lot of errors like “Plugin ABC deactivated..” come out.
This because the plugin main file was not starting with its regular comment, but with the malevolent code.

A lot of files (1000+) was starting like this


Others (50+) was starting like this, and other random vars


Tired of this haks I wrote a small .cs colsole for cleaning this files.
Other websites suggest a .sh script but I’m a Windows user and I’d use its tools.

Feel free to use/edit/whatever this code:


using System;
using System.Text;
using System.IO;
using System.Text.RegularExpressions;

namespace ConsoleApplicationCleanWordpress
{
    class Program
    {

        static Regex re = new Regex(@"^<\?php\sif\(\!isset\(\$GLOBALS\[" + "\"" + @"\\x61\\156\\x75\\156\\x61" + "\"" + @"\]\)\)\s.*\s\?>");

        //static Regex re = new Regex(@"^<\?php.*(\#\-\!OVMM\*\<%x22%51%x29%51%x29%73"", NULL\);).*\s\?>");

        static int count = 0;

        static void Main(string[] args)
        {
            cleanFolder(@"C:\Users\max\Desktop\public_html");

            Console.WriteLine(count + " infecetd files.");
            Console.WriteLine("THE END!");
            Console.ReadLine();

        }

        private static void cleanFolder(string folder)
        {
            var di = new DirectoryInfo(folder);

            foreach (var subfolder in di.GetDirectories())
                cleanFolder(subfolder.FullName);

            /*
            foreach (var file in di.GetFiles())
            {
                if (file.FullName.ToLower().EndsWith(".php"))
                    cleanFile(file);
                else
                    file.Delete(); // don't need to upload it anymore (css, js, big files, etc)
            }
            */

            foreach (var file in di.GetFiles("*.php"))
                cleanFile(file);

        }

        private static void cleanFile(FileInfo file)
        {
            var content = File.ReadAllText(file.FullName);
            if (re.IsMatch(content))
            {
                var orig = file.FullName;
                Console.WriteLine(++count + " Infected: " + orig);
                file.MoveTo(orig + ".bk");
                File.WriteAllText(orig, re.Replace(content, ""));
            }
        }
    }
}


Other resources:

Lascia un commento

I campi obbligatori sono contrassegnati con *.