#!/usr/bin/env python2
# Some fucker infected all the php files on the server with by injecting some
# obfuscated bullshit at the start of each file. This script pulls out the
# crap and rewrites the file.

import os
import fnmatch
import re

infection = {}
infected = []
skipped = []

for root, dirs, files in os.walk('.'):
    for pfile in fnmatch.filter( files, "*.php" ):
        fname = os.path.join( root, pfile )
        content = ""
        fin = open( fname, 'r')
        content = fin.read()
        fin.close()
        if len(content) == 0:
            continue
        p = re.compile('(^<\?php .*\?>)<?[\?php|html|HTML|!DOCTYPE|\n]')
        m = p.match( content )
        if m:
            # keep track of the infection string and use that to look too
            if m.group(1) in infection:
                infection[m.group(1)] += 1
            else:
                infection[m.group(1)] = 1
            content = content[len(m.group(1)):-1]
            o = open( fname, 'w' )
            o.write( content )
            o.close()
            infected.append( fname )
        else:
            found = False
            # see if we can find the infection string at the beginning of the file
            for key in infection.keys():
                if content.find(key) == 0:
                    content = content[len(key):-1]
                    o = open( fname, 'w' )
                    o.write( content )
                    o.close()
                    infected.append( fname )
                    found = True
                    break
            if not found:
                skipped.append( fname )

print "# %d infections" % len(infection.keys())
print "# Infected"
for f in infected:
    print f
print
print "# Skipped"
for f in skipped:
    print f
print

print "# %d infected files found and cleaned" % len(infected)
print "# %d files were skipped" % len(skipped)