Skip to content

Instantly share code, notes, and snippets.

@simonrjones
Last active October 17, 2016 15:48
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save simonrjones/e1175c43bf7552daec11a9c2882de150 to your computer and use it in GitHub Desktop.
Save simonrjones/e1175c43bf7552daec11a9c2882de150 to your computer and use it in GitHub Desktop.
Series of shell commands to help detect a PHP security exploit
# Find all Apache-owned PHP files
find /var/www -user apache -type f -name '*.php' > suspicious_files.txt
# Find all non-binary files owned by Apache that are not named .php but contain PHP parser tags
find /var/www -user apache -type f -not -name '*.php' | xargs egrep -ilI "(<\?php|<\?=|<\? *(?!(xml)))" > suspicious_files2.txt
# Find all files containing PHP parser tags in global tmp folder
egrep -ilIr "(<\?php|<\?=|<\? *(?!(xml)))" /tmp > suspicious_files3.txt
# You can inspect all the PHP files for certain strings to find potentially dodgy code. Yes, they often contain the word hack!
cat suspicious_files.txt suspicious_files2.txt suspicious_files3.txt > suspicious_files_all.txt
grep -il 'hack' $(cat suspicious_files_all.txt)
# Search for a few potentially dodgy function calls at once
egrep -il '(eval *\(|base64_decode *\(|gzinflate *\(|str_rot13 *\(|hex2bin *\()' $(cat suspicious_files_all.txt)
# Remove the "l" option to view the matched lines in the file.
grep -i 'hack' --color path/to/file.php
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment