Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Series of shell commands to help detect a PHP security exploit
# Find all Apache-owned PHP files
find /var/www -user apache -type f -name '*.php' > suspicious_files.txt
# Find all non-binary files owned by Apache that are not named .php but contain PHP parser tags
find /var/www -user apache -type f -not -name '*.php' | xargs egrep -ilI "(<\?php|<\?=|<\? *(?!(xml)))" > suspicious_files2.txt
# Find all files containing PHP parser tags in global tmp folder
egrep -ilIr "(<\?php|<\?=|<\? *(?!(xml)))" /tmp > suspicious_files3.txt
# You can inspect all the PHP files for certain strings to find potentially dodgy code. Yes, they often contain the word hack!
cat suspicious_files.txt suspicious_files2.txt suspicious_files3.txt > suspicious_files_all.txt
grep -il 'hack' $(cat suspicious_files_all.txt)
# Search for a few potentially dodgy function calls at once
egrep -il '(eval *\(|base64_decode *\(|gzinflate *\(|str_rot13 *\(|hex2bin *\()' $(cat suspicious_files_all.txt)
# Remove the "l" option to view the matched lines in the file.
grep -i 'hack' --color path/to/file.php
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment