File: /home/thetradingroom/www/scan-malware.php
<?php
error_reporting(0);
set_time_limit(0);
echo "\n\n=== WordPress Malware Scanner (Targeted) ===\n\n";
$signatures = [
'scottvmorton', // your specific malware source domain
'tytuy.json', // remote malicious payload
'createElement(\'script\'',
'createElement("script"',
'appendChild(',
'atob(', // base64 decoding in JS
'eval(', // obfuscated loader
'String.fromCharCode',
'navigator.webdriver',
'verify you are human',
'windows key', // fake cloudflare human verification text
'powershell', // NEVER legitimate in WP JS/PHP
'Win + R', // malware prompt
'fetch(', // usually used in fake CF loaders
'gzinflate(', // php obfuscation
'base64_decode(', // php obfuscation
];
$it = new RecursiveIteratorIterator(
new RecursiveDirectoryIterator('.', FilesystemIterator::SKIP_DOTS)
);
echo "Scanning files...\n\n";
foreach ($it as $file) {
if (!$file->isFile()) continue;
$path = $file->getPathname();
// Only scan these file types:
if (!preg_match('/\.(php|js|html|htm)$/i', $path)) continue;
$contents = file_get_contents($path);
if (!$contents) continue;
foreach ($signatures as $sig) {
if (stripos($contents, $sig) !== false) {
echo "Suspicious MATCH: $sig --> $path\n";
break;
}
}
}
echo "\n\n=== Checking wp_options (autoloaded only) ===\n\n";
$db_user = 'YOUR_DB_USER';
$db_pass = 'YOUR_DB_PASS';
$db_name = 'YOUR_DB_NAME';
$prefix = 'znBUWW2_'; // your table prefix
$conn = @new mysqli('localhost', $db_user, $db_pass, $db_name);
if ($conn->connect_error) {
echo "Database connection FAILED. Skipping DB scan.\n";
exit;
}
$q = "SELECT option_name, option_value
FROM {$prefix}options
WHERE autoload='yes'";
$res = $conn->query($q);
if ($res) {
while ($row = $res->fetch_assoc()) {
$val = $row['option_value'];
foreach ($signatures as $sig) {
if (stripos($val, $sig) !== false) {
echo "DB MATCH: {$row['option_name']} contains '$sig'\n";
break;
}
}
}
} else {
echo "Error reading wp_options table.\n";
}
echo "\n\n=== Scan complete. ===\n\n";
?>