Last active
November 9, 2023 18:13
-
-
Save paceaux/9f099bfc014fff00a12afb7e32358167 to your computer and use it in GitHub Desktop.
Find Balada-infected files on your wordpress host
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| echo "hello" $USER "we're gonna find some infected files"; | |
| echo "=====First: let's find .oti Injections====="; | |
| grep --include=\*.php -Hnrwo -P '^(@include)+.+(\.ot(i|\\x69|c)\"\);)' . ; | |
| find . -type f -name "*.oti"; | |
| echo "=====Next: let's find PHP files with obfuscated code being evaluated====="; | |
| echo " looking for the cookie/post files"; | |
| grep --include=\*.php -Hwnro -P '(\$_COOKIE(,|;))+.+(\$_POST)' . ; | |
| echo " looking for the die() files" | |
| grep --include=\*.php -Hwnro -P "(die+)(?:.[^'\"\$\s_a-z0-1]+)(\);)" . ; | |
| echo " looking for the print_r files" | |
| grep --include=\*.php -Hwnro -P '(print_r)+.+(\([0-9]{5}\+[0-9]{5}\))' . | |
| echo " look for the stuff with that md5 at the end"; | |
| grep --include=\*.php -Hwnro -P "(substr\(md5\(time\(\))+.+(substr)+.+strlen+.+print" . ; | |
| echo " look for the .chr stuff"; | |
| grep --include=*\.php -Hwnro -P "((\.chr\(\d{3}-\d{3}?))+.+((\.chr\(\d{3}-\d{3}?))" . ; | |
| echo " look for a bunch of arrays "; | |
| grep --include=*\.php -Hwnro -P "(((Array\(\d)+(.|\n|\t)+(Array\(\d)){1})+" . ; | |
| echo "=====Now: let's find infected JavaScript====="; | |
| egrep --include=\*.js -Hnrwo "^(var\sf=String)" . ; | |
| echo "all finished"; | |
| printf '%(%Y-%m-%d %H:%M:%S)T\n' -1 ; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
to add this to your bash, run
Then