{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Emotional °昔 的问题《PHP regex to fix hacked Wordpress site》','https://www.manongdao.com/q-860455.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have a client that has multiple Wordpress installations, which he didn't keep up to date. As a result, he got hacked. While I try to find how the hackers got in, and fix the problem permanently, I'm trying to create a script to fix them quickly, automatically.
I found this script, which does what I want: http://designpx.com/tutorials/wordpress-security/
It automatically removes the <?php eval(base64_decode("aWY..."); ?> from every php file, but the regex it's using to do this, removes also <?php get_header(); ?> if it follows the malicious code.
So, what I want is to change it, so it only removes the malicious code, but not the first line of php code as well. Here's the part of the script that does the replacing:
find $dir -name "*.php" -type f \
|xargs sed -i 's#<?php /\*\*/ eval(base64_decode("aWY.*?>##g' 2>&1
What would I have to change, so it stops at the first ?>, and not at the second?
Note: I know this is a quick, temporary fix, but it will do until the client makes up his mind about which sites he wants to fix, an which to erase.
Back up everything and scan it with your antivirus. In your server delete all wp files except wp-config.php then go to wordpress.org download the latest version. Extract to your computer and upload.
Check your backup theme files for infections.
Apart from the comments advising a reinstall, the regex question at hand might be greediness. The
.*?placeholder ought to match the shortest amount of characters, butsedmight have some limitations regarding line length etc. (Not sure.)But for constraining it further you could use
[^>]*in its place:This will ensure it can't run over a closing
?>. Thebase64couldn't possibly contain this anyway.No need for some crazy scripts and whatnot. Hacks on PHP cannot work unless the file is infected. Removing it solved the problem.
And yes, it's possible to do even if you have multiple wordpress installations on the same server (WHY?!).