Thanks to MailPoet and Revolution Slider my websites run over multiple attaks.
I noticed problems mainly because, when I enter in the plugins’ list, a lot of errors like “Plugin ABC deactivated..” come out.
This because the plugin main file was not starting with its regular comment, but with the malevolent code.
A lot of files (1000+) was starting like this
Others (50+) was starting like this, and other random vars
Tired of this haks I wrote a small .cs colsole for cleaning this files.
Other websites suggest a .sh script but I’m a Windows user and I’d use its tools.
Feel free to use/edit/whatever this code:
using System; using System.Text; using System.IO; using System.Text.RegularExpressions; namespace ConsoleApplicationCleanWordpress { class Program { static Regex re = new Regex(@"^<\?php\sif\(\!isset\(\$GLOBALS\[" + "\"" + @"\\x61\\156\\x75\\156\\x61" + "\"" + @"\]\)\)\s.*\s\?>"); //static Regex re = new Regex(@"^<\?php.*(\#\-\!OVMM\*\<%x22%51%x29%51%x29%73"", NULL\);).*\s\?>"); static int count = 0; static void Main(string[] args) { cleanFolder(@"C:\Users\max\Desktop\public_html"); Console.WriteLine(count + " infecetd files."); Console.WriteLine("THE END!"); Console.ReadLine(); } private static void cleanFolder(string folder) { var di = new DirectoryInfo(folder); foreach (var subfolder in di.GetDirectories()) cleanFolder(subfolder.FullName); /* foreach (var file in di.GetFiles()) { if (file.FullName.ToLower().EndsWith(".php")) cleanFile(file); else file.Delete(); // don't need to upload it anymore (css, js, big files, etc) } */ foreach (var file in di.GetFiles("*.php")) cleanFile(file); } private static void cleanFile(FileInfo file) { var content = File.ReadAllText(file.FullName); if (re.IsMatch(content)) { var orig = file.FullName; Console.WriteLine(++count + " Infected: " + orig); file.MoveTo(orig + ".bk"); File.WriteAllText(orig, re.Replace(content, "")); } } } }
Other resources: