-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathclean-clk.php
92 lines (76 loc) · 2.31 KB
/
clean-clk.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
<?php
// just for debugging
header('Content-type: text/plain');
/* recursive directory retrieve */
function getFileListIn($dir, $prefix = '') {
$dir = rtrim($dir, '\\/');
$result = array();
foreach (scandir($dir) as $f)
{
if ($f !== '.' and $f !== '..')
{
if (is_dir("$dir/$f"))
{
$result = array_merge($result, getFileListIn("$dir/$f", "$prefix$f/"));
} else {
$result[] = $prefix.$f;
}
}
}
return $result;
}
/* here starts the script */
// array for infected and cured files store
$arrInfected = $arrCured = array();
// configure the directory to check and cure
$strDirPathToCheck = './';
$arrFileList = getFileListIn($strDirPathToCheck);
/* while we have files to check... */
foreach($arrFileList as $strFile)
{
$strPathFile = $strDirPathToCheck . $strFile;
$strOriginalContent = file_get_contents($strPathFile);
// Let's check if the 'clk.php' call is inside the file
if (preg_match_all('/clk.php/sU', $strOriginalContent, $arrMatches))
{
// append infected item
$arrInfected[] = $strPathFile;
// getting extension
$arrPathParts = pathinfo($strPathFile);
// check the type file
switch (strtolower($arrPathParts['extension']))
{
case 'php': // PHP files
// #id# script call #/id#
$strCuredContent = preg_replace('/<\?php[\n\r\s]+\#[a-z0-9]+\#.*\#\/[a-z0-9]+\#[\n\r\s]+\?>/sU', '', $strOriginalContent);
$strCuredContent = preg_replace('/<\?php[\n\r\s]+\?>/sU', '', $strCuredContent);
break;
case 'js': // JS files
// /*id*/ script call /*id*/
$strCuredContent = preg_replace('/\/\*[a-z0-9]+\*\/.*\/\*\/[a-z0-9]+\*\//sU', '', $strOriginalContent);
break;
case 'htm': // HTML files
case 'html':
// <!--id--> script call <!--/id-->
$strCuredContent = preg_replace('/<!--[a-z0-9]+.*\/[a-z0-9]+-->/sU', '', $strOriginalContent);
break;
default:
// possible others
$strCuredContent = null;
}
// if we get the curated content, we'll replace original
if (!is_null($strCuredContent))
{
// Write content to file
if (file_put_contents($strPathFile, $strCuredContent))
{
// OK, perfect, cured
$arrCured[] = $strPathFile;
}
}
}
}
echo "Files infected":
print_r($arrInfected);
echo "Files cured":
print_r($arrCured);