Last active
February 1, 2022 19:09
-
-
Save jasperf/3191187 to your computer and use it in GitHub Desktop.
Hacked Search and Desctroy Bash commands #security #unix
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Search for eval(base64_decode) | |
| find . -name \*.php -exec grep -l "eval(base64_decode" {} \; | |
| #Look for world writable files | |
| find . -type d -perm -o=w | |
| #last logins + ip addresses from where the user logged in | |
| last -i | grep youruser | |
| last -if /var/log/wtmp.1 | grep youruser | |
| #Search for string in files recursively and print them with filename | |
| grep -H -r “redeem reward” /home/tom | |
| grep -H -r "preg_replace" /Users/your/folder/site | |
| #Look for multiple strings -i for case insensitive | |
| grep -ir "redeem reward" /home/folder | |
| #Look for files with modification timestamps that occurred since you last modified your site or around the time the #hack took place. A useful command for doing this is: | |
| find /home/yourusername/www.yourwebsite.com/ ! -name "log" -mtime -3 | |
| find /opt/local/apache2/logs | |
| -3 = last three days | |
| #search for preg_replace, Windows-1251, Love you, evilc0ders or FilesMan | |
| #Search for scripts being loaded | |
| grep -ir "script src" /Users/jasper/Webdesign/DHD/christchurchkilkeel.org/ | |
| #Check for searchengine related redirect hack | |
| wget --referer=http://google.com "http://www.example.com/" | |
| curl -s silent -q quote sending random command | |
| curl -sq http://www.lilypophilypop.com/g_load.php |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment