clean_cryptocurrency_activity.php

<?php

// crontab -e -> 
// 1 * * * * php /home/core/clean_cryptocurrency_activity.php >> /var/log/cryptocurrency_activity.log 2>&1
// Don't forget to add the file to logrotate!! (or delete it periodically)

$date = new DateTime("now");
$dateString = $date->format("Y/m/d-H:i:s");
$needToClean = false;

$directories = [
   ' /apps/web_*/web/sites/default/files',   // Drupal 8
   ' /apps/web_*/sites/default/files',       // Drupal 7
   ' /apps/web_*/wp-content/uploads',        // Wordpress
   ' /tmp',                                  // Temporary directory
];

foreach ($directories as $directory) {
  if (existExecutableFiles($directory)) {
    $needToClean = true;
  } 
}

if ($needToClean) {
  
  foreach ($directories as $directory) {
    cleanExecutableFiles($directory);
  }
  restartPhpFpm();

}
else {
  $carga = sys_getloadavg();
  if ($carga[0] > 3) {
    restartPhpFpm();
    echo "CLEAN[$dateString]: But restarted php\n";

  }
  else {
    echo "CLEAN[$dateString]: Everything is fine\n";
  }
}


function existExecutableFiles($dir) {

  $date = new DateTime("now");
  $dateString = $date->format("Y/m/d-H:i:s");

  $find = exec('find ' . $dir . '  -executable -type f');
  if ( strlen($find) !== 0) {
    echo "CLEAN[$dateString]: Infected file: $find\n";
    return true;
  }
  return false;
}

function cleanExecutableFiles($dir) {
  exec('netstat -anpt | grep ESTABL');
  exec('find ' . $dir . ' -executable -type f -exec rm {} \;');
}

function restartPhpFpm() {
  exec('/etc/init.d/php7.0-fpm restart');
}