Last active
October 7, 2015 00:27
-
-
Save jacksoncage/3076456 to your computer and use it in GitHub Desktop.
Shell script to look for evil code and mail if detected
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Shell script to look for evil code and mail if detected | |
| # ------------------------------------------------------------------------- | |
| # http://serverfault.com/questions/153666/send-email-based-on-grep-results | |
| # http://www.linuxforums.org/forum/red-hat-fedora-linux/166780-shell-script-send-email.html | |
| # ------------------------------------------------------------------------- | |
| WHERE="/home/" | |
| TMP="/tmp/webinject_result.txt" | |
| echo "Looking for evil code" | |
| grep -lr --include=*.php '<?php @error_reporting(0); if (!isset($eva1fYlbakBcVSir' $WHERE > $TMP | |
| if grep --quiet $WHERE $TMP | |
| then | |
| echo "Found evil code, deleting..." | |
| find $WHERE -name '*.php' -exec grep -q eva1fYlbakBcVSir {} \; -print -exec perl -pi -w -e 's/\<\?php \@error_reporting\(0\); if \(\!isset\(\$eva1fYlbakBcVSir.*\?\>//g' {} \; | |
| echo "Sending email to adm@lovemusic.se" | |
| grep -B 20 -B 2 $WHERE $TMP | mail -s "Fixed: Evil code injection on server" adm@lovemusic.se | |
| else | |
| echo "No evil code was found." | |
| fi | |
| echo "Deleting tmp file." | |
| rm -rf $TMP | |
| echo "Done." |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment