HEX
Server: nginx/1.29.3
System: Linux 11979.bigscoots-wpo.com 6.8.0-88-generic #89-Ubuntu SMP PREEMPT_DYNAMIC Sat Oct 11 01:02:46 UTC 2025 x86_64
User: nginx (1068)
PHP: 7.4.33
Disabled: exec,system,passthru,shell_exec,proc_open,proc_close,popen,show_source,cmd# Do not modify this line # 1684243876
$ pwd: /proc/1284356/root/bigscoots/
Upload Files
File: //proc/1284356/root/bigscoots/wp_cleanup.sh
#!/bin/bash

RED="\e[31m"
GREEN="\e[32m"
ENDCOLOR="\e[0m"

source /bigscoots/includes/common.sh
source /bigscoots/wpo/extras/bigscoots.menu

activate_bshelper=false

CURRDIR=${PWD}

if [ ! -d wp-includes ]; then
  echo "Needs to be ran in the root of the WP install."
  exit
fi

function INFECTEDFOLDERCHK() {
    screen -dmS "INFECTEDFOLDERCHK" bash -c "sleep 3600; if [ -d ${CURRDIR}/.infected_* ]; then bash /bigscoots/general/slack.sh '#team-chat' ':middle_finger:' \"$(hostname)\" \"-\" \"${serverip}\" \"-\" \"Someone\" \"forgot\" \"to\" \"remove\" \"the\" \".infected\" \"folder\" \"from\" \"${PWD}\" \"please\" \"make\" \"sure\" \"nothing\" \"is\" \"needed\" \"then\" \"remove.\" \"Thanks\" \"and\" \"have\" \"a\" \"lovely\" \"day\" - ':middle_finger:'; fi"
}

grep -l '^@include' *php | while read -r injectedfile; do
  echo "Removing malicious injection from file: $injectedfile"
  sed -i '/@include/d' $injectedfile
done

# echo "Site cleanup on $(wp option get siteurl ${WPCLIFLAGS})"

wpcli_update
mkdir .keep

if wpcli plugin is-active bigscoots-helper; then 
    wpcli plugin delete bigscoots-helper
    rm -f wp-content/mu-plugins/bigscoots-helper-handler.php
    activate_bshelper=true
fi

if [ -f /scripts/restartsrv_apache_php_fpm ]; then
  /scripts/restartsrv_apache_php_fpm
else
  ngxrestart
  scoots php restart all
fi

mv wp-config.php wp-content ads.txt apple-touch-icon* robots.txt bigscoots.html malcare-waf.php wordfence-waf.php .keep/ 2>/dev/null

mkdir -p .infected
mv ./* .infected/
wpcli core download --skip-content
[ -f .infected/wp-content/mu-plugins/bigscoots-helper-handler.php ] && rm -f .infected/wp-content/mu-plugins/bigscoots-helper-handler.php
find -name '.*.ico' -delete
rm -rf .well-known
if [ -d wp-content ]; then
  rm -rf wp-content
fi
mv .keep/* .

cd wp-content
mv plugins plugins.replace
chmod 0 plugins.replace
mkdir plugins

for i in $(ls -I . -I .. plugins.replace/ | grep -Ev '.php|error_log' | sed 's/\///g'); do
    if wpcli plugin install "$i" --force --quiet 2>/dev/null; then
        echo -e "Installing plugin: $i - ${GREEN}Success${ENDCOLOR}"
    else
        echo -e "Installing plugin: $i - ${RED}Failed${ENDCOLOR}"
    fi
done

if [ "$activate_bshelper" == true ]; then
    wpcli plugin install https://wp-plugins.bigscoots.com/download/bigscoots-helper --force --activate --quiet
fi

wpcli core update-db --quiet
cd ..

rm -f .infected/.htacess
touch .infected/.htacess

echo '### Block all POST Requests ###
RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteRule .* - [F,L]
### Block all POST Requests ###

' > .infected/.htaccess

chown -R $(stat -c '%U' .): .
chown $(stat -c '%U' .):nobody .
chmod 750 .
chmod 000 .infected*

mv wp-content/plugins.replace .infected/

if [ -d .keep/wp-content ]; then
  echo "WARNING - I COULDNT REMOVE .keep BECAUSE .keep/wp-content exists and should be in the actual location"
else
  rm -rf .keep
fi

echo "Unable to install the following plugins:"

comm -23 <(ls .infected/plugins.replace | sort) <(ls wp-content/plugins/ | sort)

mv -n .infected/plugins.replace/* wp-content/plugins/

echo; echo; echo;
echo "Resetting Admin Passwords"
for i in $(wpcli user list --role=administrator --field=ID); do
  wpcli user reset-password $i --quiet
done

rm -rf wp-content/cache wp-content/upgrade
mv .infected ".infected_$(date +%m%d%y-%H%M)"
correct_permissions_ownership

echo "Shuffling salts"
wpcli config shuffle-salts --force 2>/dev/null

echo; echo;
echo "Some possible scripts.."
echo; echo;

find wp-content/uploads/ -type f -name '*.php*' -o -name '*.ico' -o -name '*.html'
# Non regex grep
grep -rl 'eval($_REQUEST\|IndoXploit TMP Backdoor\|function decrypt($str,$pwd){$pwd=base64_encode($pwd);$str=base64_decode($str);$enc_chr\|I could not have a more welcome visitor 64 group of zain bani\|, hexdec(substr\|$_COOKIE;(count\|<?php file_put_contents\|log_installed = @file_get_contents_mplugin\|str_split(rawurldecode(str_rot13($value)))\|womndo.com\|javascript;base64\|KEYWORDBYINDEX\|<?php     \|base64_decode(rawurldecode((urlencode(urldecode($_REQUEST\|AnonymoX9jaTeam\|Joomla.Administrator\|xXsUIssAZ\|ALgR_Dz\|shellx.org\|An0n_3xPloiTeR\|settings="cr"."ea"."te"."_fu"."nction"\|indexx="c"."rea"."te"."_func"."tion";\|{if(isset($_SERVER\|; move_uploaded_file(\$\|))));}\|\\x63\\x72\\x65\\x61\\x74\\x65\\x5f\\x75\\x6e\\x63\\x74\\x69\\x6f\\x6e\|php eval(gzinflate(base64_decode\|eval (gzinflate(base64_decode\|anonymousfox\|if($_GET\["pw"] == $password){\|blackpanther1337\|O0O0OO0O0O0\|error_reporting(0);ini_set("display_errors", 0);if(!defined\|hZGXfomxVvjvWl4xoKEcoJHhWlVfVzDvXGgpWm4tWmgyL2uiVPsRi8X8JlphWTEhqJ0hW10tYFQBkYm\|Upl0ader\| and substr_count\|eval/\*\|if(get_magic_quotes_gpc()){foreach($_POST as $key=>$value){$_POST\[$key] = stripslashes($value);}}' --include='*php' --exclude-dir='.infected_*' --exclude='rules.php' --exclude='autoptimizeCriticalCSSCore.php' --exclude='autoptimizeScripts.php' --exclude='functions_assets_js.php'
# regex grep
grep -Erl 'chr\([0-9]+\)\.chr\([0-9]+\)\.chr\([0-9]+\)|\$[a-zA-Z0-9]{5} = curl_init' --include='*php' --exclude-dir='.infected_*' --exclude='rules.php' --exclude='autoptimizeCriticalCSSCore.php' --exclude='autoptimizeScripts.php' --exclude='functions_assets_js.php'
grep -lrF "<?php /*-"

echo; echo; echo;

# Checking for potentially malicious plugins
malicious_plugins=$(comm -23 <(find wp-content/plugins/ -mindepth 1 -maxdepth 1 -not -name 'index.php' -exec basename {} \; | sort) <(wpcli plugin list --field=name --status=active,inactive 2>/dev/null | sort))
count=$(echo "$malicious_plugins" | wc -l)

if [ -n "$malicious_plugins" ]; then
    echo "The plugins listed below are most likely not plugins, please check them:"
    echo "$malicious_plugins"
fi

echo; echo; echo;

# Checking for potentially malicious themes
malicious_themes=$(comm -23 <(find wp-content/themes/ -mindepth 1 -maxdepth 1 -not -name 'index.php' -exec basename {} \; | sort) <(wpcli theme list --field=name --status=active,inactive,parent 2>/dev/null | sort))
count=$(echo "$malicious_themes" | wc -l)

if [ -n "$malicious_themes" ]; then
    echo "The themes listed below are most likely not themes, please check them:"
    echo "$malicious_themes"
fi


echo "To maintain the security of your website, please manually download and install the latest version of these plugins from their official sources."
echo ""
echo "**Plugins requiring manual updates:**"
echo ""

# Loop through each plugin that failed the checksum verification
wpcli plugin verify-checksums --all 2>&1 | grep "Warning: Could not retrieve the checksums" | awk -F'of plugin ' '{print $2}' | awk -F',' '{print $1}' | while read -r PLUGIN; do 
    # Fetch plugin details
    PTITLE=$(wpcli plugin get "$PLUGIN" --fields=title,author,version --format=json)
    
    # Extract fields using jq (alternative method without jq below)
    TITLE=$(echo "$PTITLE" | jq -r '.title')
    AUTHOR=$(echo "$PTITLE" | jq -r '.author')
    VERSION=$(echo "$PTITLE" | jq -r '.version')

    # Print in formatted style
    echo "- **$TITLE**"
    echo "  - **Author:** $AUTHOR"
    echo "  - **Current Version:** $VERSION"
    echo ""
done
@ Telegram