How To Cleanup Hacked WordPress PHP Code Using A Perl Script
erics, Posted March 21st, 2012 at 1:07:34am
Perl to the Rescue!
This perl script cleans just one type of infection as an example. Vary the script to search for and clean other combinations and patterns. Also, the script is deliberately written long-hand and verbose, and could be significantly more compact and efficient. It was done this way for ease of use and reading. The script actually runs faster than it looks like it should…YMMV
VERSION 1
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
#!/usr/bin/perl use warnings; use strict; my $debug = 1; my $count; my @files = `grep -Rl --include='*.php' base64_decode *`; chomp(@files); foreach my $file (@files) { open(IN, "$file") or die; $count = 0; print "ANALYZING: $file\n" if $debug; while (<IN>) { next unless /base64_decode/; next unless /eval/; $count ++; next unless $debug; print; s/eval\(base64_decode\(.*?\)\);//g; print; print "\n\n\n"; next; } close IN; if ($count) { print "INFECTED: $file\n"; unless ($debug) { local $^I='.bad'; # see perlvar(1) EDIT IN PLACE local @ARGV=($file); while(<>){ s/eval\(base64_decode\(.*?\)\);//g; print; } } } } exit 0; |
VERSION 2
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 |
#!/usr/bin/perl use warnings; use strict; my $debug = 0; my $count; my $total; my @files = `grep -Rl --include='*.php' 'base64_decode(str_rot13' *`; chomp(@files); foreach my $file (@files) { open(IN, "$file") or die; $count = 0; print "ANALYZING: $file\n" if $debug; while (<IN>) { next unless /base64_decode/; next unless /str_rot13/; next unless /transient/; next unless /get_option/; $count ++; $total ++; next unless $debug; print; #s/eval\(base64_decode\(.*?\)\);//g; #print; print "\n"; next; } close IN; if ($count) { print "INFECTED: $file\n"; #unless ($debug) { local $^I='.bad'; # see perlvar(1) EDIT IN PLACE local @ARGV=($file); while(<>){ next if ( /base64_decode/ and /str_rot13/ and /transient/ and /get_option/ ); #s/eval\(base64_decode\(.*?\)\);//g; print; } #} } #last if $total == 2; } print "TOTAL: $total\n\n"; exit 0; |
One Other Important Search – Manual Cleanup
grep -Rn --include='*.php' base64_decode * | grep gzinflate
Categories: How-To's, Technology base64, base64_decode, eval, hack, Hacked, Infected, perl, php, WordPress
Leave Your Comment
All fields marked with "*" are required.