<?php

// Safety check

$CLEAN_MODE_ON = false;

$WORM_SIGNATURE = “2351,36,5581,28,1864,50,2418,35,1827,37,3770,62,3104,41,3975,39,5703,40,3950,25,2004,59,2739,32,1187,37,1914,30,2922”;

echo “<div>IMPORTANT! Make sure you take your site offline and make a BACKUP of ALL files before switching on clean mode!</div>”;

echo “<div>Listing all PHP files.</div>”;

$di = new RecursiveDirectoryIterator(__DIR__,RecursiveDirectoryIterator::SKIP_DOTS);

$it = new RecursiveIteratorIterator($di);

foreach($it as $file) {

if (pathinfo($file, PATHINFO_EXTENSION) == “php” && pathinfo($file, PATHINFO_BASENAME) != basename(__FILE__) ) {

$fileContents = file_get_contents($file, FILE_USE_INCLUDE_PATH);

 

if (preg_match(‘/<\?php.+?\?>/ms’, $fileContents, $matches, PREG_OFFSET_CAPTURE)){

// Check for the first match only – assume worm’s php code block is the first one in the file.

$firstElem = $matches[0][0];

if(strpos($firstElem, $WORM_SIGNATURE) > 1){

echo “<div>” . $file . “; ” . htmlentities(substr($firstElem, 0, 50) . ” ……….. ” . substr($firstElem, strlen($firstElem)-50, strlen($firstElem))) . “</div>”, PHP_EOL;

if($CLEAN_MODE_ON){

echo “<div>Cleaning the file…</div>”;

$cleanedFileContents = str_replace($firstElem, ”, $fileContents);

file_put_contents($file, $cleanedFileContents);

echo “<div>File cleaned!</div>”;

}

}

}

}

}

echo “<div>Done. Exiting…</div>”;

?>