taidos · February 1, 2022 19:54
diff --git a/searchanddestroy.sh b/searchanddestroy.sh
 #Search for eval(base64_decode)
 #https://www.itoctopus.com/a-couple-of-shell-commands-to-find-hacked-php-files-on-a-joomla-website
 #https://iamsto.wordpress.com/2018/10/30/hacked-find-evil-code-in-php-files-find-stealrat-find-hacked-php-files/
 find . -name \*.php -exec grep -l "eval(base64_decode" {} \;
 find . -print | xargs -d'\n' grep -r 'die(PHP_OS.chr(49).chr(48).chr(43).md5(0987654321'
   find . -type f -name '*.php' -print | xargs grep -i x29
   find . -type f -name '*.php' -print | xargs grep -E '[0-9a-zA-Z/]{80}'
   grep -r --include=*.php -e '[[:alnum:]]\{63,\}'
   grep -r --include=*.php -e '[[:alnum:]\/\+]\{137,\}'

 #Look for world writable files
 find . -type d -perm -o=w 

 #last logins + ip addresses from where the user logged in
 last -i | grep youruser
 last -if /var/log/wtmp.1 | grep youruser

 #Search for string in files recursively and print them with filename
 grep -H -r “redeem reward” /home/tom 
 grep -H -r "preg_replace" /Users/your/folder/site

 #Look for multiple strings -i for case insensitive
 grep -ir "redeem reward" /home/folder

 #Look for files with modification timestamps that occurred since you last modified your site or around the time the #hack took place. A useful command for doing this is:
 find /home/yourusername/www.yourwebsite.com/ ! -name "log" -mtime -3
 find /opt/local/apache2/logs
 -3 = last three days


 #search for preg_replace, Windows-1251, Love you, evilc0ders or FilesMan

 #Search for scripts being loaded
 grep -ir "script src" /Users/jasper/Webdesign/DHD/christchurchkilkeel.org/ 

 #Check for searchengine related redirect hack
 wget --referer=http://google.com "http://www.example.com/"

 curl -s silent -q quote sending random command
 curl -sq http://www.lilypophilypop.com/g_load.php
	#Search for eval(base64_decode)
	#https://www.itoctopus.com/a-couple-of-shell-commands-to-find-hacked-php-files-on-a-joomla-website
	#https://iamsto.wordpress.com/2018/10/30/hacked-find-evil-code-in-php-files-find-stealrat-find-hacked-php-files/
	find . -name \*.php -exec grep -l "eval(base64_decode" {} \;
	find . -print \| xargs -d'\n' grep -r 'die(PHP_OS.chr(49).chr(48).chr(43).md5(0987654321'
	find . -type f -name '*.php' -print \| xargs grep -i x29
	find . -type f -name '*.php' -print \| xargs grep -E '[0-9a-zA-Z/]{80}'
	grep -r --include=*.php -e '[[:alnum:]]\{63,\}'
	grep -r --include=*.php -e '[[:alnum:]\/\+]\{137,\}'

	#Look for world writable files
	find . -type d -perm -o=w

	#last logins + ip addresses from where the user logged in
	last -i \| grep youruser
	last -if /var/log/wtmp.1 \| grep youruser

	#Search for string in files recursively and print them with filename
	grep -H -r “redeem reward” /home/tom
	grep -H -r "preg_replace" /Users/your/folder/site

	#Look for multiple strings -i for case insensitive
	grep -ir "redeem reward" /home/folder

	#Look for files with modification timestamps that occurred since you last modified your site or around the time the #hack took place. A useful command for doing this is:
	find /home/yourusername/www.yourwebsite.com/ ! -name "log" -mtime -3
	find /opt/local/apache2/logs
	-3 = last three days


	#search for preg_replace, Windows-1251, Love you, evilc0ders or FilesMan

	#Search for scripts being loaded
	grep -ir "script src" /Users/jasper/Webdesign/DHD/christchurchkilkeel.org/

	#Check for searchengine related redirect hack
	wget --referer=http://google.com "http://www.example.com/"

	curl -s silent -q quote sending random command
	curl -sq http://www.lilypophilypop.com/g_load.php