-1

I need to copy content off my site to create another system, because the theme keeps getting hacked. The hacker keeps putting a .ico file that is a malware...

So I need to create a php file that will always search for files NOT NAMED favicon.ico and delete them if it finds them.

Is there a fast way to search every directory in public_html for files hidden and named: .*.ico? They seem to start with . then different names then .ico

so always: .*.ico

but not named: favicon.ico So just a code to delete all files using PHP in public_html that are named .ico but not named favicon.ico

I think unlink would work, but how do I make it not delete favicon.ico?

Does someone know? I'm almost done copying all the content to create a different website and delete the whole website and move the domain to the new server, so it cannot get hacked anymore... but it keeps getting hacked so I have to create a cron job to keep looking for a .ico file to delete.

Thanks in advance if you can point me in the right direction. :)

I've been searching online for how to, but not found it. Need to get it fast because it keeps getting hacked every few hours.

unlink("/home/path/public_html/*.ico");
//Deletes favicon.ico too... right?

did not test it because I think it will delete the ico files I don't want deleted.

Rich
  • 13
  • 1
  • 3
  • or maybe how to scan all folders and get all file names and if they are .ico and not favicon.ico, then delete that file... but only that file.. is there a loop to make that does that until the end of all files in the main directory we start with? – Rich Apr 30 '19 at 21:32
  • 1
    It seems to me you're addressing the symptom rather than the disease. Perhaps you should harden your install instead. – Alex Howansky Apr 30 '19 at 21:37
  • My theme seems to be the reason it keeps getting hacked, I've checked everything else... must be the theme. I have that theme on 3 different sites and all 3 are getting hacked the others are not... so must be. so I need to just not use that theme, but I have to recreate the website content first, because if I change the theme it will break the look and feel, so need to copy it all off. – Rich Apr 30 '19 at 21:45
  • It doesn't matter why they're hacking your site, you should fix it so it can't be hacked in the first place. – Barmar Apr 30 '19 at 21:52
  • The purpose of this kind of hack seems to be to create an WordPress user for the hacker. Are you using WP? In that case, check the users list. I don't think removing the icon files will help now, it's probably too late for that. If you're using WP, lots of plugins and third party themes, then an occasional hack seems unavoidable. It's the biggest target out there. Not your fault, just try and keep everything up-to-date. – KIKO Software Apr 30 '19 at 21:54
  • I cannot figure out how they are hacking it from that theme, I've checked everything. I keep removing all the malware manually.. it is a pain... very frustrating. NO IDEA how they are doing it. if I did see how I'd fix it so they could not. but no idea HOW they are doing it. NO IDEA. – Rich Apr 30 '19 at 21:54
  • If you don't know how they're getting in, then moving to a different server and different theme is no guarantee of stopping the hack. Chances are good that they've added backdoors into your site other than how they first got in. – Greg Schmidt Apr 30 '19 at 21:55
  • Everything is up to date... everything. and I've looked for all the malware files... found ALL the files that have any type of malware code, like files named: 3isnikdnw.php etc. removed all of those, every one of them. I've used shell to search for *{eval(* and *foreach{* and found every one of them to delete them all. I still don't know how they are accessing the site. no users created. I checked. – Rich Apr 30 '19 at 21:56

2 Answers2

0

Functions like unlink() require an exact pathname, they don't automatically expand wildcards.

Use glob() to get a list of files matching a pattern, then you can use array_map() to call the function for each of them.

array_map('unlink', glob("/home/path/public_html/*.ico"));
Barmar
  • 741,623
  • 53
  • 500
  • 612
0

i think you need a recursive script to execute the work...

you can try this:

function listFolderFiles($dir){
    $ffs = scandir($dir);

    unset($ffs[array_search('.', $ffs, true)]);
    unset($ffs[array_search('..', $ffs, true)]);


    $search_text = '.ico';

    array_filter($ffs, function($el) use ($search_text) {
        return ( strpos($el['text'], $search_text) !== false );
    });

    // prevent empty ordered elements
    if (count($ffs) < 1)
        return;

    echo '<ol>';
    foreach($ffs as $ff){
        echo '<li>'.$ff;
        if(is_dir($dir.'/'.$ff)) listFolderFiles($dir.'/'.$ff);
        echo '</li>';
    }
    echo '</ol>';
}

listFolderFiles('Main Dir'); //your directory ...

check the output if is that you need... and add the unlink to the path and file listed...

  • So, what field is the file name, so I can add code to see if it is a .ico file and does NOT contain favicon.ico so if not, then unlink it...? – Rich Apr 30 '19 at 22:10
  • i have remove all .ico with $search_text = '.ico'; AND array_filter –  Apr 30 '19 at 22:11