import os, re, subprocess

sites = [
    'shfava.com', 'bulukeji.cn', 'joyrun.cn',
    'hangbo168.com', 'topslab.com', 'topcheersoftware.com',
    '36362030.com', 'xt021.com'
]

malicious_logins = ['admn', 'admlnlx', 'adminbackup', 'admin-war-backup',
                     'WhoAdminKnows', 'bot@local.invalid', 'adminbackup132']

for site in sites:
    conf = '/www/wwwroot/' + site + '/wp-config.php'
    if not os.path.exists(conf):
        continue
    with open(conf) as f:
        c = f.read()
    dbname = re.search(r"DB_NAME.*?['\"](([^'\"]+))", c)
    dbuser = re.search(r"DB_USER.*?['\"](([^'\"]+))", c)
    dbpass = re.search(r"DB_PASSWORD.*?['\"](([^'\"]+))", c)
    if not (dbname and dbuser and dbpass):
        print(site + ': cannot parse config')
        continue
    dbname, dbuser, dbpass = dbname.group(1), dbuser.group(1), dbpass.group(1)
    r = subprocess.Popen(
        ['mysql', '-u'+dbuser, '-p'+dbpass, dbname,
         '-e', 'SELECT ID,user_login,user_email,user_registered FROM wp_users ORDER BY user_registered DESC LIMIT 8;'],
        stdout=subprocess.PIPE, stderr=open('/dev/null','w')
    )
    out, _ = r.communicate()
    out = out.decode('utf-8', errors='ignore')
    if out.strip():
        print('--- ' + site + ' ---')
        print(out)
        for ml in malicious_logins:
            if ml in out:
                print('  *** MALICIOUS USER: ' + ml + ' ***')
                subprocess.Popen(
                    ['mysql', '-u'+dbuser, '-p'+dbpass, dbname,
                     '-e', 'DELETE FROM wp_users WHERE user_login="' + ml + '"; DELETE FROM wp_usermeta WHERE user_id NOT IN (SELECT ID FROM wp_users);'],
                    stdout=open('/dev/null','w'), stderr=open('/dev/null','w')
                ).wait()
                print('  DELETED: ' + ml)
    else:
        print(site + ': no output')