mikeeck
Forum Replies Created
-
Forum: Fixing WordPress
In reply to: Malicious files keeps coming back over and over againSorry, should have use the code button, these are a better format
<?php //echo "starting dir "; $dir = '/home/YOURACCOUNTNAME/public_html'; //echo "starting directory is <pre>$dir</pre>"; $myfile = fopen("/home/YOURACCOUNTNAME/public_html/YOURFOLDER/icolist.txt", "a+") or die("Unable to open file!"); echo fwrite($myfile,"Today is " . date("Y/m/d") . "\n"); fclose($myfile); function findfile($location='',$fileregex='') { if (!$location or !is_dir($location) or !$fileregex) { //echo "false"; return false; } $matchedfiles = array(); $all = opendir($location); while ($file = readdir($all)) { if (is_dir($location.'/'.$file) and $file <> ".." and $file <> ".") { $subdir_matches = findfile($location.'/'.$file,$fileregex); $matchedfiles = array_merge($matchedfiles,$subdir_matches); unset($file); } elseif (!is_dir($location.'/'.$file)) { if (preg_match($fileregex,$file)) { // here remove the file array_push($matchedfiles,$location.'/'.$file); //echo("about to remove a file at... "); //echo($location.'/'.$file); $myfile = fopen("/home/YOURACCOUNTNAME/public_html/YOURFOLDER/icolist.txt", "a+") or die("Unable to open file!"); echo fwrite($myfile,$_SERVER['REMOTE_ADDR']."\n"); echo fwrite($myfile,$location.'/'.$file."\n\n"); unlink($location.'/'.$file); fclose($myfile); } } } closedir($all); unset($all); return $matchedfiles; } $ico2files = findfile($dir,'/^\..+\.ico/'); //print_r($ico2files); ?> <code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><?php
/* here reuse same file */
$fileold = ‘/home/YOURACCOUNTNAME/public_html/FOLDERWITHGOODFILES/index-no.php’;
//echo “file-no.php is “, $fileold;
chmod($fileold, 0644);
$newfile = ‘/home/YOURACCOUNTNAME/public_html/INFECTEDFOLDER/.quarantine/index.php’;
if (!copy($fileold, $newfile)) {
echo “failed to copy .quarantine $fileold…\n”;
}
chmod($newfile, 0644);
$newfile = ‘/home/YOURACCOUNTNAME/public_html/INFECTEDFOLDER/.tmb/index.php’;
if (!copy($fileold, $newfile)) {
echo “failed to copy .tmb $fileold…\n”;
}// keep doing this and make this a cron job
…….
?>Forum: Fixing WordPress
In reply to: Malicious files keeps coming back over and over againI’ve had this ongoing problem and shared the issue with the IT team on my server. I have not been able to stop it so I wrote a routine to scan for all .ico files beginning with a period and remove them daily in a cron job. I write the removed files to a log file. The hackers drop them daily.
In another routine (cron) I also clean up the index files (comment section is used), and restore wp-config.php and wp-settings.php on the root. I’m also running a WordPress plugin for file change monitoring to catch the random php files dropped, which can be tricker to find.
My ico removal code is not elegant but it works until a better solution is found. It runs a recursive search for files beginning with a . and ending in .ico. You should test this in a folder, and a sub folder and add some .97404570,ico files to them. This will not remove your favicon.ico files. If the log file does not exist it will be created and appended. By using absolute paths you can add the php file to a cron job. Note I am also trying to get the ip server address but this does not show up in the log file. Not sure why.
All best.
————————————–
<?php
//echo “starting dir “;
$dir = ‘/home/YOURACCOUNTNAME/public_html’;
//echo “starting directory is$dir
“;
// log file
$myfile = fopen(“/home/YOURACCOUNTNAME/public_html/YOURFOLDER/icolog.txt”, “a+”) or die(“Unable to open file!”);
echo fwrite($myfile,”Today is ” . date(“Y/m/d”) . “\n”);
fclose($myfile);
function findfile($location=”,$fileregex=”) {
if (!$location or !is_dir($location) or !$fileregex) {
//echo “false”;
return false;
}$matchedfiles = array();
$all = opendir($location);
while ($file = readdir($all)) {
if (is_dir($location.’/’.$file) and $file <> “..” and $file <> “.”) {
$subdir_matches = findfile($location.’/’.$file,$fileregex);
$matchedfiles = array_merge($matchedfiles,$subdir_matches);
unset($file);
}
elseif (!is_dir($location.’/’.$file)) {
if (preg_match($fileregex,$file)) {
// here add the file to an array
array_push($matchedfiles,$location.’/’.$file);
//echo(“about to remove a file at… “);
//echo($location.’/’.$file);
// open log file
$myfile = fopen(“/home/YOURACCOUNTNAME/public_html/YOURFOLDER/icolog.txt”, “a+”) or die(“Unable to open file!”);
echo fwrite($myfile,$_SERVER[‘REMOTE_ADDR’].”\n”);
echo fwrite($myfile,$location.’/’.$file.”\n\n”);
// this removes the file
unlink($location.’/’.$file);
fclose($myfile);
}
}
}
closedir($all);
unset($all);return $matchedfiles;
}
// here is the call and regex string to find ico files beginning with a period
$ico2files = findfile($dir,’/^\..+\.ico/’);
//print_r($ico2files);
?>
—————————
Here is a snippet of the cleaning of the index.php files. It’s just file replacement. You need to search your public_html for these infected index.php files and add them to this routine. This includes wp-config.php and wp-settings.php.
—————————
<?php/* here reuse same file */
$fileold = ‘/home/YOURACCOUNTNAME/public_html/FOLDERWITHGOODFILES/index-no.php’;
//echo “file-no.php is “, $fileold;
chmod($fileold, 0644);
$newfile = ‘/home/YOURACCOUNTNAME/public_html/INFECTEDFOLDER/.quarantine/index.php’;
if (!copy($fileold, $newfile)) {
echo “failed to copy .quarantine $fileold…\n”;
}
chmod($newfile, 0644);
$newfile = ‘/home/YOURACCOUNTNAME/public_html/INFECTEDFOLDER/.tmb/index.php’;
if (!copy($fileold, $newfile)) {
echo “failed to copy .tmb $fileold…\n”;
}// keep doing this and make this a cron job
…….
?>