Abominable if(!isset($GLOBALS[“\x61\156\x75\156\x61”])) Malicious Code and Removal Methods

During a modification of a WordPress theme, I was surprised to find a piece of code like this in the header of every theme file:

if(!isset($GLOBALS["x61156x75156x61"])) { $ua=strtolower($_SERVER["x48124x54120x5f125x53105x52137x41107x45116x54"]); ...

The code specifically do not know, the site display will not have any abnormalities, but we can not let the malicious code so ravaged our theme, so Goolge a little, in the almighty stackoverflow found the solution.

Ways to clean up malicious code

Here's a bash script to put the script on the server and execute it. /remove_malware.sh /var/www/wp_path/ cleanMalicious code can be removed.

#!/bin/bash
#
# This script remove malware of PHP files.
#

if [[ -z "$1" ]]; then
  echo "Directory where to find is required."
else
  grep -rnwl $1 --include *.php -e "\\\x48\124\\\x54\\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54" \ while read -r filename ;) do

    if [[ ! -z "$2" ]]; then
       echo "Found file $filename. Cleaning..."
       awk 'BEGIN {matches=0} matches < 1 && /1/ { sub(/^. *<?php/," $filename.purged
       mv $filename $filename.bck
       mv $filename.purged $filename
    mv $filename.purged
      echo "Found file $filename."
    fi

  done
  echo "Done."
fi

After testing, the script may misjudge the normal file and delete the first line of code of the normal file, but the chance of misjudgement is relatively small, just in case, it is recommended to back up the site as a whole before deleting it.

When the above script is executed, it generates a number of scripts with suffixes like.bckof the backup files. If you need to clean up these files, run the following command.

find . -name *.bck | xargs rm -vf