Script to scan web shells

scan.sh

#!/bin/bash
echo "Iniciando"

if [ -z $1 ]; then
    dir_search=/home/*/public_html
else
    dir_search=$1
fi

if [ -z $2 ]; then
    dir_report=/root/sospechosos/report
else
    dir_report=$2
fi

egrep -rl '\} if\(isset\(|extract\(\$_COOKIE|eval\(base64_decode|eval\(gzinflate|eval\(gzuncompress\(base64_decode|eval\(preg_replace\(|\{eval\(stripslash|eval\(strrev|eval\(str_rot13|eval\(unescape|stripslash\(base64_decode|\\x62\\141\\x73\\145\\x36\\64\\x5f\\144\\x65\\143\\x6f\\144\\x65' $dir_search > $dir_report/egrep.txt &
egrep -rl "O8KxrH6r" $dir_search > $dir_report/o8k.txt &
egrep -rl "x47L\\\x4f\\\x42\\\x41" $dir_search > $dir_report/x41.txt &

grep -rn "0=strtoupper(\\$" $dir_search > $dir_report/strtoupper.txt &
grep -rn "$_F=__FILE__" $dir_search > $dir_report/files.txt &
grep -rn " MAILER " $dir_search > $dir_report/mailer.txt &
grep -rn "preg_match(base64_decode" $dir_search > $dir_report/pgrep_match.txt &
grep -rn "preg_match((base64_decode" $dir_search > $dir_report/pgrep_match2.txt &
grep -rn "eval(base64_decode($_POST" $dir_search > $dir_report/base64_decode.txt &
grep -rn "FilesMan" $dir_search > $dir_report/filesman.txt &
grep -rn "PCT4BA6ODSE" $dir_search > $dir_report/pct.txt &
grep -rn "return base64_decode" $dir_search > $dir_report/returnbase64.txt &
grep -rn "user_agent_to_filter" $dir_search > $dir_report/user_agent_to_filter.txt &
grep -rn "F1l3" $dir_search > $dir_report/f1l3.txt &

grep -rn "apachecodes" $dir_search/.htaccess > $dir_report/apachecodes.txt &
grep -rn "safe_mode" $dir_search/.htaccess > $dir_report/safe_mode.txt &
find $dir_search -name "php.ini" > $dir_report/php_ini.txt &

ls -lha $dir_search/modules/{mod_articless,mod_arateiclws,mod_aracticlhes,mod_araticlhess,mod_articles_menu}/ > $dir_report/mods.txt &
ls -lha $dir_search/{tmp,media,images}/*.php >> $dir_report/tmp_media_images.txt &

find $dir_search -name ".*.php" > $dir_report/hide.txt &

echo "Finalizando..."