Skip to content

Instantly share code, notes, and snippets.

@parsibox

parsibox/check_for_hack_directadmin_shell

Last active January 5, 2024 13:57
Show Gist options
  • Save parsibox/8cda499d52a53d82bea633c188af6f11 to your computer and use it in GitHub Desktop.
Save parsibox/8cda499d52a53d82bea633c188af6f11 to your computer and use it in GitHub Desktop.
Download ZIP
check for shell script in directadmin vps ( hack , find , directadmin )
Raw
check_for_hack_directadmin_shell
grep -lr --include=*.php "eval(base64_decode" /home
find /home -type f -name '*.php' | xargs grep -l "eval *(" --color
find /home -type f -name '*.php' | xargs grep -l "base64_decode *(" --color
find /home -type f -name '*.php' | xargs grep -l "gzinflate *(" --color
find /home -type f -name '*.php' | xargs grep -l "outdo" --color
find /home -type f -name '*.php' | xargs grep -l "eval*_POST" --color
find /home -type f -name '*.php' | xargs grep -l "$ptzrw" --color
find /home/*/domains/*/public_html/wp-content/uploads -type f -name '*.php'
find /home/ -type d -perm 777 -exec find {} -name "*.php" \;
find wp-admin -type f -name '*.php' | xargs grep -l "gzinflate *(" --color
find /home -type f -name '*.php' | xargs grep -l "eval *(str_rot13 *(base64_decode *(" --color
find /home -type f -name '*.php' | xargs egrep -i "(mail|fsockopen|pfsockopen|stream_socket_client|exec|system|passthru|eval|base64_decode) *\(" --color
find /home -type f -name '*.php' | xargs egrep -i "preg_replace *\((['|\"])(.).*\2[a-z]*e[^\1]*\1 *," --color
find /home -type f -name '\.htaccess' | xargs grep -i auto_prepend_file;
find /home -type f -name '\.htaccess' | xargs grep -i auto_append_file;
awk -F\" '($2 ~ "/wp-admin/"){print $1}' /var/log/httpd/access_log | awk '{print $1}' | sort | uniq -c | sort -r
awk -F\" '($2 ~ "/wp-admin/"){print $1}' /var/log/httpd/domains/*log | awk '{print $1}' | sort | uniq -c | sort -r
awk -F\" '($2 ~ "qjhtwaba.php"){print $1}' /var/log/httpd/domains/*log | awk '{print $1}' | sort | uniq -c | sort -r
awk -F\" '($2 ~ "c0nfig.php"){print $1}' /var/log/httpd/domains/*log | awk '{print $1}' | sort | uniq -c | sort -r
awk '($9 ~ /404/)' /var/log/httpd/domains/*log | awk -F\" '($2 ~ "^GET .*\.php")' | awk '{print $7}' | sort | uniq -c | sort -r | head -n 20
awk -F\" '{print $2}' /var/log/httpd/access_log | awk '{print $2}' | sort | uniq -c | sort -r
cat /var/log/httpd/access_log | grep -E "wp-admin|wp-login|POST /" | awk '{print $1 "\t" $7}'
grep '((eval.*(base64_decode|gzinflate|\$_))|\$[0O]{4,}|FilesMan|JGF1dGhfc|IIIl|die\(PHP_OS|posix_getpwuid|Array\(base64_decode|document\.write\("\\u00|sh(3(ll|11)))' /home -lroE --include=*.php*
grep 'eval\(stripslashes\(\$_REQUEST' /home -lroE --include=*.php*
grep 'eval\(\$_POST' /home -lroE --include=*.php*
grep 'shell_exec' /home -lroE --include=*.php*
grep 'if\(isset\(\$_REQUEST\[\$post_var' /home -lroE --include=*.php*
grep "eval" /home -lroE --include=*.ico*
find /home/ -name "*".php -type f -print0 | xargs -0 grep "create_function" | grep "base" | grep "COOKIE" --color
find /home/ -name "*".php -type f -print0 | xargs -0 grep "exit" | grep "eval" | grep "GLOBALS" --color
find /home/ -name "*".php -type f -print0 | xargs -0 grep "isset" | grep "eval" | grep "strtoupper" --color
grep -R -rnw '/var/log/httpd/domains/omranifard.com.log' -e "sqatrhjf.php" | cut -d ":" -f 2 | cut -d " " -f 1
find /home/ -name "*".php -type f -print0 | xargs -0 grep r57 | uniq -c | sort -u | cut -d":" -f1 | awk '{print "rm -rf " $2}' | uniq
find /home/ -name "*".php -type f -print0 | xargs -0 grep c99 | uniq -c | sort -u | cut -d":" -f1 | awk '{print "rm -rf " $2}' | uniq
grep 'create_function|base64_decode' /home -lroE --include=*.php*
grep -E 'char|nchar|varchar|nvarchar|alter|begin|cast|create|cursor|declare|delete|drop|end|exec|execute|fetch|insert|kill|open|select|sys|sysobjects|syscolumns|table|update' /var/log/httpd/access_lo*
grep -R —include="*.php" -rnw '/home/' -e "GLOBALS\[\$GLOBALS"
find /home/ -name "*".php -type f -print0 | xargs -0 grep "SHELL_PASSWORD" | awk '{print $1}'
find /home/ -name "*".php -type f -print0 | xargs -0 grep "auth_pass" | grep "base64_decode" | awk '{print $1}'
find /home/ -name "*".php -type f -print0 | xargs -0 grep "57hom" | awk '{print $1}'
find /home/ -name "*".php -type f -print0 | xargs -0 grep "wp_kses_data" | grep "wp_nonce" | grep "null" | grep "_wp_admin_bar_init"| awk '{print $1}'
find /home/ -name "*".php -type f -print0 | xargs -0 grep "^" | grep "exit" | grep "Array" | awk '{print $1}'
find /home/ -name "*".php -type f -print0 | xargs -0 grep "return" | grep "strlen" | grep "Array" | grep "isset" | grep "rawurl" | awk '{print $1}'
@parsibox
Copy link
Author 

 find  /home/   -name "*".php  -type f -print0  | xargs -0 grep "AnonymousFox" |  awk '{print  $1}'
find  /home/   -name "*".php  -type f -print0  | xargs -0 grep "stristr" | grep "eval" | grep "curl" |  awk '{print  $1}'
 cat  /var/log/httpd/domains/*log | grep "wp-content"  | grep ".php HTTP"|  awk '{print  $1}'  | uniq

@parsibox
Copy link
Author 

 find  /home/   -name "*".php  -type f -print0  | xargs -0 grep "curl" | grep "eval" |  awk '{print  $1}'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment