strings for finding backdoor shells, rootkits, botnets, and exploitable functions

seclist_malicious.txt

# strings for finding backdoor shells, rootkits, botnets, and exploitable functions
# grep -Rn "shell *(" /var/www
exec
passthru        
shell_exec
system
phpinfo
base64_decode
chmod
mkdir
fopen
fclose
readfile
php_uname
eval
edoced_46esab
popen
include
create_function
mysql_execute
php_uname
proc_open
pcntl_exec
``
include_once
require
require_once
posix_mkfifo
posix_getlogin
posix_ttyname
getenv
get_current_user
proc_get_status
get_cfg_var
disk_free_space
disk_total_space
diskfreespace
getcwd
getlastmo
getmygid
getmyinode
getmypid
getmyuid
assert
extract
parse_str
putenv
ini_set
pfsockopen
fsockopen
apache_child_terminate
posix_kill
posix_setpgid
posix_setsid
posix_setuid
tmpfile
bzopen
gzopen
chgrp
chown
copy
file_put_contents
lchgrp
lchown
link
mkdir
move_uploaded_file
symlink
tempnam
imagecreatefromgif
imagecreatefromjpeg
imagecreatefrompng
imagecreatefromwbmp
imagecreatefromxbm
imagecreatefromxpm
ftp_put
ftp_nb_put
exif_read_data
read_exif_data
exif_thumbnail
exif_imagetype
hash_file
hash_hmac_file
hash_update_file
md5_file
sha1_file
highlight_file
show_source
php_strip_whitespace
get_meta_tags
str_repeat
unserialize
register_tick_function
register_shutdown_function
getuid
uname
gethostname

seclist_php_audit.md

Auditing php source code with grep

XSS

grep -Ri "echo" *

grep -Ri "\$_" * | grep "echo"

grep -Ri "\$_GET" * | grep "echo"

grep -Ri "\$_POST" * | grep "echo"

grep -Ri "\$_REQUEST" * | grep "echo"

---

SQL Injection

grep -Ri "$sql" *

grep -RI "mysqli(" *

grep -Ri "pdo(" *

---

File inclusion

grep -Ri "file_include(" *

grep -Ri "file_get_contents(" *

grep -Ri "include(" *

---

Command execution

grep -Ri "shell_exec(" *

grep -RIt "system(" *

grep -Ri "exec(" *