ls -al
ls -al public_html/
cat public_html/index.html
exit
if [[ q =~ ^([][fF])+$ ]]; then echo -e "\n\n\033[1;32m === Files modified in the last  days ===\033[0m\n" >> report.txt; find . -type f -mtime - -ls >> report.txt; echo -e "\n\n\033[1;32m === Files created in the last  days ===\033[0m\n" >> report.txt; find . -type f -ctime - -ls >> report.txt; echo -e "\n\n\033[1;32m === Php files modified in the last  days ===\033[0m\n" >> report.txt; find . -type f -name '*.php' -mtime - -ls >> report.txt; fi
echo -e "\n\n\033[1;32m === Php files containing suspicious code, base64 etc. ===\033[0m\n" >> report.txt
find . -type f -name '*.php' | xargs grep -l "eval *(" --color >> report.txt
find . -type f -name '*.php' | xargs grep -l "base64 _decode *(" --color >> report.txt
find . -type f -name '*.php' | xargs grep -l "64_decode" --color >> report.txt
find . -type f -name '*.php' | xargs grep -l "gzinflate *(" --color >> report.txt
echo -e "\n\n\033[1;32m === Perform expanded search for possible malicious functions ===\033[0m\n" >> report.txt
find . -type f -name '*.php' | xargs egrep -i "(fsockopen|pfsockopen|stream_socket_client|exec|system|passthru|eval|base64_decode) *\)" >> report.txt
echo -e "\n\n\033[1;32m === Examples of preg_replace ===\033[0m\n " >> report.txt
find . -type f -name '*.php' | xargs egrep -i "preg_replace *\((['\"])(.).*\2[a-z]*e[^\1]*\1 *," --color >> report.txt
echo -e "\n\n\033[1;32m === .htaccess auto_append and prepend searches ===\033[0m\n" >> report.txt
find . -type f -name "\.htaccess" | xargs grep -i auto_prepend_file; >> report.txt
find . -type f -name "\.htaccess" | xargs grep -i auto_append_file; >> report.txt
echo -e "\n\n\033[1;32m === Search .htaccess for malicious redirects. ===\033[0m\n" >> report.txt
find . -type f -name '\.htaccess' | xargs grep -i http; >> report.txt
echo -e "\n\n\033[1;32m === Generally Suspicous files. ===\033[0m" >> report.txt
find ./public_html/wp-content/uploads -type f -name '*.php'
find . -type f -iname '*.jpg' | xargs grep -i php
grep -R eval *
find uploads -name "*.php" -print
echo -e "\n\n\033[0m === End of report ===\033[0m\n\n" >> report.txt
exit
cat report.txt
rm report.txt
exit
echo "You've elected to '$opt'"; echo "Searching for compromised files... Below files have a 99% chance of being compromised:"; echo;((egrep -Zlr 'eval\(@?((base64_decode|stripslashes)\()?(@?\$_(POST|REQUEST|COOKIES)\[|array_pop\(@?\$_(POST|REQUEST|COOKIES))|base...32.2..._de...code|eval\(@?(base64_decode\(@?)?gz(inflate|uncompress)\(@?base64_decode\(|\\x65\\x76\\x61\\x6C(\\x28\\x67\\x7A\\x69\\x6E\\x66\\x6C\\x61\\x74\\x65)?\\x28\\x62\\x61\\x73\\x65\\x36\\x34\\x5F\\x64\\x65\\x63\\x6F\\x64\\x65\\x28|@?\$GLOBALS\[[^]]*\]\(@?\$GLOBALS\[[^]]*\]|eval/\*([^]|[^/])*\*/\(|\${"(G|\\x47)(L|\\x4c)(O|\\x4f)(B|\\x42)(A|\\x41)(L|\\x4c)(S|\\x53)"}|="PCT4BA6ODSE_"' public_html/|xargs -r0 ls -clrt; echo "Searching for suspicious files... Below files probably aren't compromised but worth checking:"; grep -D skip -PZlr '\$[^=;(]+\( "/([^/]+)/i?e" *,[^;]*\1|gz(inflate|uncompress)\(@?base64_decode\((@?str_replace\(|\$)|(^|\W)eval\((\$?[a-zA-Z0-9]+\(|\$\{\$\w+\}\[)|(\$\w+\[[^]]+\]\.){10}|fopen\(\$testfile, *"w"\)|\$(GLOBALS|_(POST|REQUEST))\[[^]]*\] *== *["'"'"']([Dd][Dd][Oo][Ss]|attack)|preg_replace\( *["'"'"']/[^/]+/i?e. *, *["'"'"']((.=.\.)?(sprintf|strto(upper|lower))\(.*)*+.|s\W*t\W*r\W*r\W*e\W*v\W*(e\W*d\W*o\W*c\W*e\W*d\W*_\W*4\W*6\W*e\W*s\W*a\W*b|e\W*c\W*a\W*l\W*p\W*e\W*r\W*_\W*g\W*e\W*r\W*p)' public_html|xargs -d\\n -r0 ls -clrt)|sed 's/^[-rwx]\{10\} \+[0-9]\+ \+\([^ ]\+ \+\)\{2\}[0-9]\+ \+//');
exit