Malware rr.nu Vaccine

1. <?php
2. /**
3.  * Vaccine: Malware rr.nu
4.  * This simple script will read all file php recursivelly from directory and cleanup string defined by rr.nu
5.  *
6.  * changelog:
7.  * v0.2 - verification by Regex, based on idea: http://misc.wordherders.net/wp/wordpress-fix_php.txt
8.  * v0.1 - single string verification
9.  *
10.  * @author Walker de Alencar <[email protected]>
11.  * @link {https://github.com/walkeralencar/rrnuVaccine}
12.  */
13. class rrnuVaccine {
14.  
15.     private $directory;
16.     private $counter;
17.     private $log = '';
18.     private $pattern = '(\<\?php \/\*\*\/ eval\(base64_decode\("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJF9TRVJWRVJbJ21yX25vJ10pKX.*"\)\);\?\>)';
19.  
20.     private function __construct() {
21.        
22.     }
23.  
24.     /**
25.      * @return rrnuVacine
26.      */
27.     public static function create() {
28.         return new self();
29.     }
30.  
31.     /**
32.      * Define root directory to start the recursive search to Vacine all php files.
33.      * @param type $dir
34.      * @return rrnuVacine
35.      */
36.     public function setDirectory($dir) {
37.         $this->directory = $dir;
38.         return $this;
39.     }
40.  
41.     private function getDirectory() {
42.         return $this->directory;
43.     }
44.  
45.     private function validate() {
46.         if (is_null($this->getDirectory())) {
47.             throw new exception('Define the root directory to Vacine!');
48.         }
49.     }
50.  
51.     private function startup() {
52.         $this->counter = array(
53.             'free' => 0,
54.             'infected' => 0,
55.             'disinfected' => 0,
56.             'total' => 0,
57.         );
58.     }
59.  
60.     private function vaccine($directory) {
61.         $currentDir = dir($directory);
62.  
63.         while (false !== ($entry = $currentDir->read())) {
64.             $file = $directory . DIRECTORY_SEPARATOR . $entry;
65.  
66.             if ($entry != "." && $entry != ".." && is_dir($file)) {
67.                 $this->vaccine($file);
68.             } else if (pathinfo($entry, PATHINFO_EXTENSION) == 'php') {
69.                 $fileContent = preg_replace($this->pattern, '', file_get_contents($file),-1,$detected);
70.                 if($detected === 0){
71.                     $status = '<em style="color:darkblue">free</em>';
72.                     $this->counter['free']++;
73.                 } else {
74.                     if (false === file_put_contents($file, $fileContent)) {
75.                         $status = '<em style="color:darkred">infected!</em>';
76.                         $this->counter['infected']++;
77.                     } else {
78.                         $status = '<em style="color:darkgreen">disinfected!</em>';
79.                         $this->counter['disinfected']++;
80.                     }
81.                 }
82.                 $this->counter['total']++;
83.                 $this->log .= $file . "[" . $status . "]<br>\n";
84.             }
85.         }
86.         $currentDir->close();
87.        
88.     }
89.  
90.     public function execute() {
91.         $this->validate();
92.         $this->startup();
93.         $this->vaccine($this->getDirectory());
94.        
95.         $result = array();
96.         foreach($this->counter as $key => $value){
97.             $result[] = "<b>{$key}</b>({$value}) ";
98.         }
99.  
100.         return "<h2>".implode(' | ',$result)."</h2>\n". $this->log;
101.     }
102.  
103. }
104.  
105. echo '<div style="color:#333; font-family:Verdana; font-size:11px;">';
106. echo '<h1><a href="https://github.com/walkeralencar/rrnuVaccine">rr.nu Vaccine - v0.2 Beta</a></h1>';
107. echo '<h3>by <a href="mailto:[email protected]">Walker de Alencar</a></h3><hr/>';
108. echo rrnuVaccine::create()
109.         ->setDirectory(realpath(getcwd()))
110.         ->execute();
111. echo '</div>';