Useful Bash Script for Malware Removal

If you have access to your wordpress server via ssh, there some bash command that you can run to check if your files are infected with malware. This can be very helpful if you host a whole bund of sites on the same server.

Using Obfuscalp.

Obfuscalp is an open source php tool to finds and removes obfuscated suspicious/malicious code planted inside PHP and other scripts.
git clone https://github.com/Orbixx/Obfuscalp.git
cd Obfuscalp
php find.php /path/to/a/bunch/of/php/sites > infected.txt
...
Processed 3950000 files, found 30
Processed 3960000 files, found 30
Processed 3970000 files, found 30

php remove.php infected.txt
...
Processing file 28 of 30 (%93.33)
Processing file 29 of 30 (%96.66)
Processing file 30 of 30 (%100)

Find and delete any php files in upload folder
findwp-content/uploads/ -name "*.php" -type f -delete

remove text and html files
find . -name "*.txt" -type f -delete
find . -name "*.html" -type f -delete

look for .js.php extension files
find . -name "*.js.php" -type f

look for files that are updated in the last 60mins
find -iname "*.php" -type f -amin -60 # access time

Look for commonly injected scripts

find . -name "*.php" -type f -exec grep -q "function setCookie(a,b,c)" {} \; -print
find . -name "*.php" -type f -exec grep -q "@$GLOBALS[$GLOBALS['l8f127f'][89].$GLOBALS['l8f127f'][28].$GLOBALS['l8f127f'][22]" {} \; -print
find . -name "*.php" -type f -exec grep -q "\x47L\x4fBA\x4c\x53" {} \; -print
find . -name "*.php" -type f -exec grep -q "$sab=$_COOKIE;\x0d\x0a$jiu=$sab[qsll]" {} \; -print

Once you have clean all the files and backup, secure the files and directory with the correct permission.

find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;rm

These are just some of the scripts that I used, I will be updating once I got some new sits to clean up.