HEX
Server: nginx/1.22.1
System: Linux iZuf67d4hh2ssx30nkok6dZ 3.10.0-1160.119.1.el7.x86_64 #1 SMP Tue Jun 4 14:43:51 UTC 2024 x86_64
User: www (1000)
PHP: 7.4.33
Disabled: passthru,exec,system,putenv,chroot,chgrp,chown,shell_exec,popen,proc_open,pcntl_exec,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,imap_open,apache_setenv
$ pwd: /tmp/
Upload Files
File: //tmp/fix_shfava.py
import re, os

site = '/www/wwwroot/shfava.com'

# Remove disguised backdoor files
badfiles = [
    site + '/wp-includes/Text/Diff/Engine/oqrooqnpopsrrqnn.ttf',
    site + '/wp-includes/images/media/bdebbdacbcfeedaa.png',
    site + '/wp-includes/images/w-bdebbdacbcfeedaa.gif',
]
for f in badfiles:
    if os.path.exists(f):
        os.remove(f)
        print('REMOVED: ' + f)

# Clean @include base64_decode injections from PHP files
php_files = [
    site + '/wp-includes/template-loader.php',
    site + '/wp-includes/general-template.php',
    site + '/wp-includes/cron.php',
    site + '/wp-includes/functions.php',
    site + '/wp-blog-header.php',
]

for fpath in php_files:
    if not os.path.exists(fpath):
        continue
    os.system('chattr -i "' + fpath + '" 2>/dev/null')
    with open(fpath) as f:
        c = f.read()
    # Remove <?php @include base64_decode("...");?> injected at start
    fixed = re.sub(r'<\?php @include base64_decode\([^)]+\);\?>', '', c)
    if fixed != c:
        with open(fpath, 'w') as f:
            f.write(fixed)
        print('CLEANED: ' + fpath)
    else:
        print('NO MATCH: ' + fpath)

print('Done')
@ Telegram