We host 1000 domains on multiple servers. We have problems with a huge amount of malware and phpshell. The use of many scanners did not affect their decline. perhaps we got 10/20 uncertain results from these scanners
so I create my own little bash file to find these scripts. This weekend, he discovered 148 phpshells (they are not good at creating .SH files).
My question is greep terribly slow, it will work for several days. how can i make this script more efficient?
array=( "base64_decode(" "substr(md5(strrev(" "cwd = @getcwd();" "chr((ord(" "gzinflate(base64_decode(" "php_uname()" "] = chr(ord(" "cwd[strlen($cwd)" "ini_get('safe_mode');" "=\"\x62\"" "\"+ r + \"&r=\" + document.referrer;\"" "if(strtoupper(substr(PHP_OS, 0, 3) ) == \"WIN\")" "window.top.location.href=\"http://" "@ini_get(\"disable_functions\")" "$g3='';$g3.=$r;$g3.=$h;$g3.=$y" "hacked" ) for value in "${array[@]}" do printf "\n[$value] [start => $(date +"%T")]\n" grep -l -inr "$value" "/home/" printf "\n[end => $(date +"%T")]\n" done
FINAL RESULT
#!/bin/bash LC_ALL=C grep -F -n -r -f /root/scanner/pattern.txt "/home/"
Pattern.txt
eval($___($__)); eval(stripslashes(@$_POST[ eval(stripslashes(array_pop( eval(base64_decode( eval(gzinflate(str_rot13(base64_decode( gzinflate(base64_decode( Array(base64_decode( sha1(base64_decode( print(base64_decode( wsoScandir($dir) substr(current(array_keys( cwd = @getcwd(); $OOO000000=urldecode( $l___l_='base'.(32*2) substr(md5(strrev( cwd[strlen($cwd) ="x62 + r + "&r=" + document.referrer; if(strtoupper(substr(PHP_OS, 0, 3) ) == "WIN") ){if(@copy( copy("endless.html system("wget symlink("/","sym/root"); @copy($_FILES['file']['tmp_name'] error_reporting(0);if( x6C\x28\x67\x7A\x69 "/.*/e","\x28\x65\x76\x61 preg_replace("/.*/e", Windows-1251";preg_replace( ); exit(); } if(isset( system("$cmd"); die;} rtrim($security_code, "/");
security linux php shell grep
Sinisterglitch
source share