Last active
January 5, 2024 13:57
-
-
Save parsibox/8cda499d52a53d82bea633c188af6f11 to your computer and use it in GitHub Desktop.
check for shell script in directadmin vps ( hack , find , directadmin )
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| grep -lr --include=*.php "eval(base64_decode" /home | |
| find /home -type f -name '*.php' | xargs grep -l "eval *(" --color | |
| find /home -type f -name '*.php' | xargs grep -l "base64_decode *(" --color | |
| find /home -type f -name '*.php' | xargs grep -l "gzinflate *(" --color | |
| find /home -type f -name '*.php' | xargs grep -l "outdo" --color | |
| find /home -type f -name '*.php' | xargs grep -l "eval*_POST" --color | |
| find /home -type f -name '*.php' | xargs grep -l "$ptzrw" --color | |
| find /home/*/domains/*/public_html/wp-content/uploads -type f -name '*.php' | |
| find /home/ -type d -perm 777 -exec find {} -name "*.php" \; | |
| find wp-admin -type f -name '*.php' | xargs grep -l "gzinflate *(" --color | |
| find /home -type f -name '*.php' | xargs grep -l "eval *(str_rot13 *(base64_decode *(" --color | |
| find /home -type f -name '*.php' | xargs egrep -i "(mail|fsockopen|pfsockopen|stream_socket_client|exec|system|passthru|eval|base64_decode) *\(" --color | |
| find /home -type f -name '*.php' | xargs egrep -i "preg_replace *\((['|\"])(.).*\2[a-z]*e[^\1]*\1 *," --color | |
| find /home -type f -name '\.htaccess' | xargs grep -i auto_prepend_file; | |
| find /home -type f -name '\.htaccess' | xargs grep -i auto_append_file; | |
| awk -F\" '($2 ~ "/wp-admin/"){print $1}' /var/log/httpd/access_log | awk '{print $1}' | sort | uniq -c | sort -r | |
| awk -F\" '($2 ~ "/wp-admin/"){print $1}' /var/log/httpd/domains/*log | awk '{print $1}' | sort | uniq -c | sort -r | |
| awk -F\" '($2 ~ "qjhtwaba.php"){print $1}' /var/log/httpd/domains/*log | awk '{print $1}' | sort | uniq -c | sort -r | |
| awk -F\" '($2 ~ "c0nfig.php"){print $1}' /var/log/httpd/domains/*log | awk '{print $1}' | sort | uniq -c | sort -r | |
| awk '($9 ~ /404/)' /var/log/httpd/domains/*log | awk -F\" '($2 ~ "^GET .*\.php")' | awk '{print $7}' | sort | uniq -c | sort -r | head -n 20 | |
| awk -F\" '{print $2}' /var/log/httpd/access_log | awk '{print $2}' | sort | uniq -c | sort -r | |
| cat /var/log/httpd/access_log | grep -E "wp-admin|wp-login|POST /" | awk '{print $1 "\t" $7}' | |
| grep '((eval.*(base64_decode|gzinflate|\$_))|\$[0O]{4,}|FilesMan|JGF1dGhfc|IIIl|die\(PHP_OS|posix_getpwuid|Array\(base64_decode|document\.write\("\\u00|sh(3(ll|11)))' /home -lroE --include=*.php* | |
| grep 'eval\(stripslashes\(\$_REQUEST' /home -lroE --include=*.php* | |
| grep 'eval\(\$_POST' /home -lroE --include=*.php* | |
| grep 'shell_exec' /home -lroE --include=*.php* | |
| grep 'if\(isset\(\$_REQUEST\[\$post_var' /home -lroE --include=*.php* | |
| grep "eval" /home -lroE --include=*.ico* | |
| find /home/ -name "*".php -type f -print0 | xargs -0 grep "create_function" | grep "base" | grep "COOKIE" --color | |
| find /home/ -name "*".php -type f -print0 | xargs -0 grep "exit" | grep "eval" | grep "GLOBALS" --color | |
| find /home/ -name "*".php -type f -print0 | xargs -0 grep "isset" | grep "eval" | grep "strtoupper" --color | |
| grep -R -rnw '/var/log/httpd/domains/omranifard.com.log' -e "sqatrhjf.php" | cut -d ":" -f 2 | cut -d " " -f 1 | |
| find /home/ -name "*".php -type f -print0 | xargs -0 grep r57 | uniq -c | sort -u | cut -d":" -f1 | awk '{print "rm -rf " $2}' | uniq | |
| find /home/ -name "*".php -type f -print0 | xargs -0 grep c99 | uniq -c | sort -u | cut -d":" -f1 | awk '{print "rm -rf " $2}' | uniq | |
| grep 'create_function|base64_decode' /home -lroE --include=*.php* | |
| grep -E 'char|nchar|varchar|nvarchar|alter|begin|cast|create|cursor|declare|delete|drop|end|exec|execute|fetch|insert|kill|open|select|sys|sysobjects|syscolumns|table|update' /var/log/httpd/access_lo* | |
| grep -R —include="*.php" -rnw '/home/' -e "GLOBALS\[\$GLOBALS" | |
| find /home/ -name "*".php -type f -print0 | xargs -0 grep "SHELL_PASSWORD" | awk '{print $1}' | |
| find /home/ -name "*".php -type f -print0 | xargs -0 grep "auth_pass" | grep "base64_decode" | awk '{print $1}' | |
| find /home/ -name "*".php -type f -print0 | xargs -0 grep "57hom" | awk '{print $1}' | |
| find /home/ -name "*".php -type f -print0 | xargs -0 grep "wp_kses_data" | grep "wp_nonce" | grep "null" | grep "_wp_admin_bar_init"| awk '{print $1}' | |
| find /home/ -name "*".php -type f -print0 | xargs -0 grep "^" | grep "exit" | grep "Array" | awk '{print $1}' | |
| find /home/ -name "*".php -type f -print0 | xargs -0 grep "return" | grep "strlen" | grep "Array" | grep "isset" | grep "rawurl" | awk '{print $1}' |
find /home/ -type f -name '*.php' | xargs grep -l "ceil" | xargs grep -l "HTTP_HOST" | xargs grep -l "strlen" | xargs grep -l "str_repeat" --color
awk -F\" '($2 ~ /uploads[/].*[/].*[/].*\.(php)/ ){print $1}' /var/log/httpd/domains/*log | cut -d "-" -f 1 > /root/davari.txt
grep "eval" /home -lroE --include=*.ico* | awk '{print "rm -rf " $1}'
grep "<?php" /home -lroE --include=*.ico* | awk '{print "rm -rf " $1}'
find /home -type f -name '.*.ico'
add to /etc/httpd/conf/extra/httpd-directories.conf
prevent run php file in all wordpress
<Directory "/home/*/domains/*/public_html/wp-content/uploads*">
<Files "*.php">
RewriteEngine On
RewriteRule ^(.*)$ http://xx.x.xx.xx/davari.php?page=$1 [R=301,L]
</Files>
</Directory>
<Directory "/home/*/domains/*/public_html/wp-content*">
<Files "*.php">
RewriteEngine On
RewriteCond %{REQUEST_URI} !.*style.php.*$ [NC]
RewriteCond %{REQUEST_URI} !.*custom-colors.php.*$ [NC]
RewriteRule ^(.*)$ http://185.237.85.21/davari.php?page=$1 [R=301,L]
</Files>
</Directory>
<FilesMatch "(wp-login.php|xmlrpc.php)">
RewriteCond %{HTTP_USER_AGENT} .*(X11).*$ [NC]
RewriteRule ^.* http://127.0.0.1/ [R=301,L]
</FilesMatch>
<FilesMatch "wp-login.php">
AuthName "Webhosing auto protect wordpress login ( if you don't know your password call 03132055 )"
AuthType Basic
AuthUserFile /home/.htpasswd
require valid-user
</FilesMatch>
tail -f /var/log/httpd/domains/*log | grep POST | grep -v "31.25.104.45" | grep -v "185.237.85.21"
find /home/ -name "*".php -type f -print0 | xargs -0 grep "AnonymousFox" | awk '{print $1}'
find /home/ -name "*".php -type f -print0 | xargs -0 grep "stristr" | grep "eval" | grep "curl" | awk '{print $1}'
cat /var/log/httpd/domains/*log | grep "wp-content" | grep ".php HTTP"| awk '{print $1}' | uniq
find /home/ -name "*".php -type f -print0 | xargs -0 grep "curl" | grep "eval" | awk '{print $1}'
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
grep -rnw '/home/omranftp/domains/omranifard.com/public_html/' -e "str_repeat"
grep -rnw '/home/omranftp/domains/omranifard.com/public_html/' -e "GLOBALS" | grep "eval"
GLOBALS
exit
eval
isset