Forked from CodeBrauer/find_suspicious_php_files.sh
Created
February 1, 2017 11:22
-
-
Save Deca/bfaceb114e023e2a0ddb602e1d142ad5 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cd hacked_website/public_html/ | |
# scan with clamAV | |
clamscan -ir . | |
# find all files that use evil functions! | |
find . -type f -name '*.php' | xargs grep -l "eval *(" --color | |
find . -type f -name '*.php' | xargs grep -l "gzinflate *(" --color | |
# find all files with hex-crypted content (x29 = ")", x3B = ";") » this should be in any php code... | |
find . -type f -name '*.php' | xargs grep -il x29 --color | |
find . -type f -name '*.php' | xargs grep -il x3B --color | |
# find silly permed-dirs | |
find . -type d -perm 0777 | |
# diff between the good and the bad! FIGHT! | |
diff -r clean-cms/ hacked-cms/ -x . | |
# find bad htaccess tricks | |
find . -type f -name '\.htaccess' | xargs grep -i auto_prepend_file; | |
find . -type f -name '\.htaccess' | xargs grep -i auto_append_file; | |
find . -type f -name '\.htaccess' | xargs grep -i http; | |
# === wordpress specific === | |
diff -r wordpress-clean/ wordpress-hacked/ -x wp-content | |
# search for hidden php files in uploads | |
find wp-content/uploads -type f -name '*.php' | |
find wp-content/uploads -type f | xargs grep -i php | |
find wp-content/uploads -type f -iname '*.jpg' | xargs grep -i php |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment