Last active
October 17, 2016 15:48
-
-
Save simonrjones/e1175c43bf7552daec11a9c2882de150 to your computer and use it in GitHub Desktop.
Series of shell commands to help detect a PHP security exploit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Find all Apache-owned PHP files | |
find /var/www -user apache -type f -name '*.php' > suspicious_files.txt | |
# Find all non-binary files owned by Apache that are not named .php but contain PHP parser tags | |
find /var/www -user apache -type f -not -name '*.php' | xargs egrep -ilI "(<\?php|<\?=|<\? *(?!(xml)))" > suspicious_files2.txt | |
# Find all files containing PHP parser tags in global tmp folder | |
egrep -ilIr "(<\?php|<\?=|<\? *(?!(xml)))" /tmp > suspicious_files3.txt | |
# You can inspect all the PHP files for certain strings to find potentially dodgy code. Yes, they often contain the word hack! | |
cat suspicious_files.txt suspicious_files2.txt suspicious_files3.txt > suspicious_files_all.txt | |
grep -il 'hack' $(cat suspicious_files_all.txt) | |
# Search for a few potentially dodgy function calls at once | |
egrep -il '(eval *\(|base64_decode *\(|gzinflate *\(|str_rot13 *\(|hex2bin *\()' $(cat suspicious_files_all.txt) | |
# Remove the "l" option to view the matched lines in the file. | |
grep -i 'hack' --color path/to/file.php |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment