parsibox · January 5, 2024 13:57 · parsibox · Jun 14, 2020
diff --git a/check_for_hack_directadmin_shell b/check_for_hack_directadmin_shell
 grep -lr --include=*.php "eval(base64_decode" /home
 find /home -type f -name '*.php' | xargs grep -l "eval *(" --color
 find /home -type f -name '*.php' | xargs grep -l "base64_decode *(" --color
 find /home -type f -name '*.php' | xargs grep -l "gzinflate *(" --color
 find /home -type f -name '*.php' | xargs grep -l "outdo" --color
 find /home -type f -name '*.php' | xargs grep -l "eval*_POST" --color
 find /home -type f -name '*.php' | xargs grep -l "$ptzrw" --color

 find /home/*/domains/*/public_html/wp-content/uploads -type f -name '*.php'
 find /home/ -type d -perm 777 -exec find {} -name "*.php" \; 


 find wp-admin -type f -name '*.php' | xargs grep -l "gzinflate *(" --color
 find /home -type f -name '*.php' | xargs grep -l "eval *(str_rot13 *(base64_decode *(" --color
 find /home -type f -name '*.php' | xargs egrep -i "(mail|fsockopen|pfsockopen|stream_socket_client|exec|system|passthru|eval|base64_decode) *\(" --color
 find /home -type f -name '*.php' | xargs egrep -i "preg_replace *\((['|\"])(.).*\2[a-z]*e[^\1]*\1 *," --color
 find /home -type f -name '\.htaccess' | xargs grep -i auto_prepend_file;
 
 
 find /home -type f -name '\.htaccess' | xargs grep -i auto_append_file;



 awk -F\" '($2 ~ "/wp-admin/"){print $1}' /var/log/httpd/access_log | awk '{print $1}' | sort | uniq -c | sort -r

 awk -F\" '($2 ~ "/wp-admin/"){print $1}' /var/log/httpd/domains/*log | awk '{print $1}' | sort | uniq -c | sort -r

 awk -F\" '($2 ~ "qjhtwaba.php"){print $1}' /var/log/httpd/domains/*log | awk '{print $1}' | sort | uniq -c | sort -r
 awk -F\" '($2 ~ "c0nfig.php"){print $1}' /var/log/httpd/domains/*log | awk '{print $1}' | sort | uniq -c | sort -r

 awk '($9 ~ /404/)' /var/log/httpd/domains/*log | awk -F\" '($2 ~ "^GET .*\.php")' | awk '{print $7}' | sort | uniq -c | sort -r | head -n 20

 awk -F\" '{print $2}'  /var/log/httpd/access_log  | awk '{print $2}' | sort | uniq -c | sort -r


 cat /var/log/httpd/access_log | grep -E "wp-admin|wp-login|POST /"  | awk '{print $1 "\t" $7}'

 grep '((eval.*(base64_decode|gzinflate|\$_))|\$[0O]{4,}|FilesMan|JGF1dGhfc|IIIl|die\(PHP_OS|posix_getpwuid|Array\(base64_decode|document\.write\("\\u00|sh(3(ll|11)))' /home -lroE --include=*.php*

 grep 'eval\(stripslashes\(\$_REQUEST' /home -lroE --include=*.php*

 grep 'eval\(\$_POST' /home -lroE --include=*.php*
 grep 'shell_exec' /home -lroE --include=*.php*

 grep 'if\(isset\(\$_REQUEST\[\$post_var' /home -lroE --include=*.php*

  grep "eval" /home -lroE --include=*.ico*
  
  
  find  /home/   -name "*".php  -type f -print0  | xargs -0 grep "create_function" | grep "base" | grep "COOKIE" --color
  find  /home/   -name "*".php  -type f -print0  | xargs -0 grep "exit" | grep "eval" | grep "GLOBALS" --color
  find  /home/   -name "*".php  -type f -print0  | xargs -0 grep "isset" | grep "eval" | grep "strtoupper" --color
  
 grep -R -rnw '/var/log/httpd/domains/omranifard.com.log' -e "sqatrhjf.php"  | cut -d ":" -f 2 | cut -d " " -f 1

 find /home/ -name "*".php  -type f -print0  | xargs -0 grep r57 | uniq -c  | sort -u  | cut -d":" -f1  | awk '{print "rm -rf " $2}' | uniq
 find  /home/   -name "*".php  -type f -print0  | xargs -0 grep c99 | uniq -c  | sort -u  | cut -d":" -f1  | awk '{print "rm -rf " $2}' | uniq

 grep 'create_function|base64_decode' /home -lroE --include=*.php*

 grep -E 'char|nchar|varchar|nvarchar|alter|begin|cast|create|cursor|declare|delete|drop|end|exec|execute|fetch|insert|kill|open|select|sys|sysobjects|syscolumns|table|update'  /var/log/httpd/access_lo*

 grep -R —include="*.php" -rnw '/home/' -e "GLOBALS\[\$GLOBALS"
 
 find  /home/   -name "*".php  -type f -print0  | xargs -0 grep "SHELL_PASSWORD" |  awk '{print  $1}'
 
 find  /home/   -name "*".php  -type f -print0  | xargs -0 grep "auth_pass" | grep "base64_decode" |  awk '{print  $1}'

 find  /home/   -name "*".php  -type f -print0  | xargs -0 grep "57hom" |  awk '{print  $1}'

 find  /home/   -name "*".php  -type f -print0  | xargs -0 grep "wp_kses_data"  | grep "wp_nonce" | grep "null" | grep "_wp_admin_bar_init"|  awk '{print  $1}'

    find  /home/   -name "*".php  -type f -print0  | xargs -0 grep "^" | grep "exit" | grep "Array" |  awk '{print  $1}'
    find  /home/   -name "*".php  -type f -print0  | xargs -0 grep "return" | grep "strlen" | grep "Array" | grep "isset" | grep "rawurl" |  awk '{print  $1}'
	grep -lr --include=*.php "eval(base64_decode" /home
	find /home -type f -name '.php' \| xargs grep -l "eval (" --color
	find /home -type f -name '.php' \| xargs grep -l "base64_decode (" --color
	find /home -type f -name '.php' \| xargs grep -l "gzinflate (" --color
	find /home -type f -name '*.php' \| xargs grep -l "outdo" --color
	find /home -type f -name '.php' \| xargs grep -l "eval_POST" --color
	find /home -type f -name '*.php' \| xargs grep -l "$ptzrw" --color

	find /home//domains//public_html/wp-content/uploads -type f -name '*.php'
	find /home/ -type d -perm 777 -exec find {} -name "*.php" \;


	find wp-admin -type f -name '.php' \| xargs grep -l "gzinflate (" --color
	find /home -type f -name '.php' \| xargs grep -l "eval (str_rot13 (base64_decode (" --color
	find /home -type f -name '.php' \| xargs egrep -i "(mail\|fsockopen\|pfsockopen\|stream_socket_client\|exec\|system\|passthru\|eval\|base64_decode) \(" --color
	find /home -type f -name '.php' \| xargs egrep -i "preg_replace \((['\|\"])(.).\2[a-z]e[^\1]\1 ," --color
	find /home -type f -name '\.htaccess' \| xargs grep -i auto_prepend_file;


	find /home -type f -name '\.htaccess' \| xargs grep -i auto_append_file;



	awk -F\" '($2 ~ "/wp-admin/"){print $1}' /var/log/httpd/access_log \| awk '{print $1}' \| sort \| uniq -c \| sort -r

	awk -F\" '($2 ~ "/wp-admin/"){print $1}' /var/log/httpd/domains/*log \| awk '{print $1}' \| sort \| uniq -c \| sort -r

	awk -F\" '($2 ~ "qjhtwaba.php"){print $1}' /var/log/httpd/domains/*log \| awk '{print $1}' \| sort \| uniq -c \| sort -r
	awk -F\" '($2 ~ "c0nfig.php"){print $1}' /var/log/httpd/domains/*log \| awk '{print $1}' \| sort \| uniq -c \| sort -r

	awk '($9 ~ /404/)' /var/log/httpd/domains/log \| awk -F\" '($2 ~ "^GET .\.php")' \| awk '{print $7}' \| sort \| uniq -c \| sort -r \| head -n 20

	awk -F\" '{print $2}' /var/log/httpd/access_log \| awk '{print $2}' \| sort \| uniq -c \| sort -r


	cat /var/log/httpd/access_log \| grep -E "wp-admin\|wp-login\|POST /" \| awk '{print $1 "\t" $7}'

	grep '((eval.(base64_decode\|gzinflate\|\$_))\|\$[0O]{4,}\|FilesMan\|JGF1dGhfc\|IIIl\|die\(PHP_OS\|posix_getpwuid\|Array\(base64_decode\|document\.write\("\\u00\|sh(3(ll\|11)))' /home -lroE --include=.php*

	grep 'eval\(stripslashes\(\$_REQUEST' /home -lroE --include=.php

	grep 'eval\(\$_POST' /home -lroE --include=.php
	grep 'shell_exec' /home -lroE --include=.php

	grep 'if\(isset\(\$_REQUEST\[\$post_var' /home -lroE --include=.php

	grep "eval" /home -lroE --include=.ico


	find /home/ -name "*".php -type f -print0 \| xargs -0 grep "create_function" \| grep "base" \| grep "COOKIE" --color
	find /home/ -name "*".php -type f -print0 \| xargs -0 grep "exit" \| grep "eval" \| grep "GLOBALS" --color
	find /home/ -name "*".php -type f -print0 \| xargs -0 grep "isset" \| grep "eval" \| grep "strtoupper" --color

	grep -R -rnw '/var/log/httpd/domains/omranifard.com.log' -e "sqatrhjf.php" \| cut -d ":" -f 2 \| cut -d " " -f 1

	find /home/ -name "*".php -type f -print0 \| xargs -0 grep r57 \| uniq -c \| sort -u \| cut -d":" -f1 \| awk '{print "rm -rf " $2}' \| uniq
	find /home/ -name "*".php -type f -print0 \| xargs -0 grep c99 \| uniq -c \| sort -u \| cut -d":" -f1 \| awk '{print "rm -rf " $2}' \| uniq

	grep 'create_function\|base64_decode' /home -lroE --include=.php

	grep -E 'char\|nchar\|varchar\|nvarchar\|alter\|begin\|cast\|create\|cursor\|declare\|delete\|drop\|end\|exec\|execute\|fetch\|insert\|kill\|open\|select\|sys\|sysobjects\|syscolumns\|table\|update' /var/log/httpd/access_lo*

	grep -R —include="*.php" -rnw '/home/' -e "GLOBALS\[\$GLOBALS"

	find /home/ -name "*".php -type f -print0 \| xargs -0 grep "SHELL_PASSWORD" \| awk '{print $1}'

	find /home/ -name "*".php -type f -print0 \| xargs -0 grep "auth_pass" \| grep "base64_decode" \| awk '{print $1}'

	find /home/ -name "*".php -type f -print0 \| xargs -0 grep "57hom" \| awk '{print $1}'

	find /home/ -name "*".php -type f -print0 \| xargs -0 grep "wp_kses_data" \| grep "wp_nonce" \| grep "null" \| grep "_wp_admin_bar_init"\| awk '{print $1}'

	find /home/ -name "*".php -type f -print0 \| xargs -0 grep "^" \| grep "exit" \| grep "Array" \| awk '{print $1}'
	find /home/ -name "*".php -type f -print0 \| xargs -0 grep "return" \| grep "strlen" \| grep "Array" \| grep "isset" \| grep "rawurl" \| awk '{print $1}'