Last active
December 24, 2016 06:30
-
-
Save sixFingers/3a04f1ead5b24cb11033 to your computer and use it in GitHub Desktop.
Check for malware inside a Wordpress installation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # ================ | |
| # Injection checks | |
| # ================ | |
| notices[0]=".php files in /uploads" | |
| checks[0]="find ./wp-content/uploads -type f -name \"*.php\"" | |
| notices[1]="'bin/perl'" | |
| checks[1]="find ./wp-content -type f -exec grep -iHl '\/bin\/perl' {} \;" | |
| notices[2]="'eval()' calls" | |
| checks[2]="find ./wp-content \( ! -iname '*.js' \) -type f -exec grep -iHl 'eval' {} \;" | |
| notices[3]="'base64_decode' calls" | |
| checks[3]="find ./wp-content \( ! -iname '*.js' \) -type f -exec grep -iHl 'base64_decode' {} \;" | |
| notices[4]="php tag inside non-php text files" | |
| checks[4]="find ./wp-content \( ! -iname '*.php' -and ! -iname '*.html' -and ! -iname '*.ini' -and ! -iname '*.js' -and ! -iname '*.sql' -and ! -iname '*.log' -and ! -iname '*._log' \) -type f -exec grep -iHl '?php' {} \; " | |
| notices[5]="php tag inside image files" | |
| checks[5]="find ./wp-content \( -iname '*.gif' -or -iname '*.jpg' -or -iname '*.jpeg' -or -iname '*.png' -or -iname '*.tiff' \) -type f -exec grep -iHl '?php' {} \; " | |
| for ((i = 0; i < ${#checks[@]}; i ++)) | |
| do | |
| read -p " Check for ${notices[$i]}? [y/n] " -n 1 -r | |
| if [[ $REPLY =~ ^[Yy]$ ]] | |
| then | |
| echo | |
| echo -e "\033[32m Searching for ${notices[$i]}" | |
| occurrencies=$(eval ${checks[$i]}) | |
| count=$(echo "$occurrencies" | wc -l) | |
| wcount=$(echo "$occurrencies" | wc -m) | |
| if [ $wcount -gt 1 ]; | |
| then | |
| # count=$(($count+1)) | |
| echo -e "\033[31m Found $count occurrencies for ${notices[$i]}:" | |
| echo -e "\033[0m $occurrencies" | |
| else | |
| echo -e "\033[0m No occurrencies found." | |
| fi | |
| else | |
| echo | |
| fi | |
| done | |
| # ============================== | |
| # Display 10 last modified files | |
| # ============================== | |
| read -p " Check for recently modified files? [y/n] " -n 1 -r | |
| if [[ $REPLY =~ ^[Yy]$ ]] | |
| then | |
| echo | |
| find $1 -type f -print0 | xargs -0 stat --format '%Y :%y %n' | sort -nr | cut -d: -f2- | head | |
| else | |
| echo | |
| fi | |
| # ====================== | |
| # Search for hot keyword | |
| # ====================== | |
| read -p " Lookup a keyword? [[keyword]/n] " | |
| if [[ $REPLY =~ ^[Nn]$ ]] | |
| then | |
| echo | |
| else | |
| echo | |
| find ./ -type f -exec grep -iHl $REPLY {} \; | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment