Last active
January 5, 2024 13:57
-
-
Save parsibox/8cda499d52a53d82bea633c188af6f11 to your computer and use it in GitHub Desktop.
Revisions
-
parsibox revised this gist
Apr 15, 2020 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -70,3 +70,5 @@ find /home/ -name "*".php -type f -print0 | xargs -0 grep "57hom" | awk '{ find /home/ -name "*".php -type f -print0 | xargs -0 grep "wp_kses_data" | grep "wp_nonce" | grep "null" | grep "_wp_admin_bar_init"| awk '{print $1}' find /home/ -name "*".php -type f -print0 | xargs -0 grep "^" | grep "exit" | grep "Array" | awk '{print $1}' find /home/ -name "*".php -type f -print0 | xargs -0 grep "return" | grep "strlen" | grep "Array" | grep "isset" | grep "rawurl" | awk '{print $1}' -
Apr 15, 2020 . 1 changed file with 3 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -67,3 +67,6 @@ grep 'create_function|base64_decode' /home -lroE --include=*.php* find /home/ -name "*".php -type f -print0 | xargs -0 grep "auth_pass" | grep "base64_decode" | awk '{print $1}' find /home/ -name "*".php -type f -print0 | xargs -0 grep "57hom" | awk '{print $1}' find /home/ -name "*".php -type f -print0 | xargs -0 grep "wp_kses_data" | grep "wp_nonce" | grep "null" | grep "_wp_admin_bar_init"| awk '{print $1}' -
Apr 10, 2020 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -65,3 +65,5 @@ grep 'create_function|base64_decode' /home -lroE --include=*.php* find /home/ -name "*".php -type f -print0 | xargs -0 grep "SHELL_PASSWORD" | awk '{print $1}' find /home/ -name "*".php -type f -print0 | xargs -0 grep "auth_pass" | grep "base64_decode" | awk '{print $1}' find /home/ -name "*".php -type f -print0 | xargs -0 grep "57hom" | awk '{print $1}' -
Apr 10, 2020 . 1 changed file with 4 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -61,4 +61,7 @@ grep 'create_function|base64_decode' /home -lroE --include=*.php* grep -E 'char|nchar|varchar|nvarchar|alter|begin|cast|create|cursor|declare|delete|drop|end|exec|execute|fetch|insert|kill|open|select|sys|sysobjects|syscolumns|table|update' /var/log/httpd/access_lo* grep -R —include="*.php" -rnw '/home/' -e "GLOBALS\[\$GLOBALS" find /home/ -name "*".php -type f -print0 | xargs -0 grep "SHELL_PASSWORD" | awk '{print $1}' find /home/ -name "*".php -type f -print0 | xargs -0 grep "auth_pass" | grep "base64_decode" | awk '{print $1}' -
Apr 9, 2020 . 1 changed file with 1 addition and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,3 +1,4 @@ grep -lr --include=*.php "eval(base64_decode" /home find /home -type f -name '*.php' | xargs grep -l "eval *(" --color find /home -type f -name '*.php' | xargs grep -l "base64_decode *(" --color find /home -type f -name '*.php' | xargs grep -l "gzinflate *(" --color -
Apr 2, 2020 . No changes.There are no files selected for viewing
-
Dec 23, 2017 . 1 changed file with 1 addition and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -59,4 +59,5 @@ grep 'create_function|base64_decode' /home -lroE --include=*.php* grep -E 'char|nchar|varchar|nvarchar|alter|begin|cast|create|cursor|declare|delete|drop|end|exec|execute|fetch|insert|kill|open|select|sys|sysobjects|syscolumns|table|update' /var/log/httpd/access_lo* grep -R —include="*.php" -rnw '/home/' -e "GLOBALS\[\$GLOBALS"
-
Dec 19, 2017 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,62 @@ find /home -type f -name '*.php' | xargs grep -l "eval *(" --color find /home -type f -name '*.php' | xargs grep -l "base64_decode *(" --color find /home -type f -name '*.php' | xargs grep -l "gzinflate *(" --color find /home -type f -name '*.php' | xargs grep -l "outdo" --color find /home -type f -name '*.php' | xargs grep -l "eval*_POST" --color find /home -type f -name '*.php' | xargs grep -l "$ptzrw" --color find /home/*/domains/*/public_html/wp-content/uploads -type f -name '*.php' find /home/ -type d -perm 777 -exec find {} -name "*.php" \; find wp-admin -type f -name '*.php' | xargs grep -l "gzinflate *(" --color find /home -type f -name '*.php' | xargs grep -l "eval *(str_rot13 *(base64_decode *(" --color find /home -type f -name '*.php' | xargs egrep -i "(mail|fsockopen|pfsockopen|stream_socket_client|exec|system|passthru|eval|base64_decode) *\(" --color find /home -type f -name '*.php' | xargs egrep -i "preg_replace *\((['|\"])(.).*\2[a-z]*e[^\1]*\1 *," --color find /home -type f -name '\.htaccess' | xargs grep -i auto_prepend_file; find /home -type f -name '\.htaccess' | xargs grep -i auto_append_file; awk -F\" '($2 ~ "/wp-admin/"){print $1}' /var/log/httpd/access_log | awk '{print $1}' | sort | uniq -c | sort -r awk -F\" '($2 ~ "/wp-admin/"){print $1}' /var/log/httpd/domains/*log | awk '{print $1}' | sort | uniq -c | sort -r awk -F\" '($2 ~ "qjhtwaba.php"){print $1}' /var/log/httpd/domains/*log | awk '{print $1}' | sort | uniq -c | sort -r awk -F\" '($2 ~ "c0nfig.php"){print $1}' /var/log/httpd/domains/*log | awk '{print $1}' | sort | uniq -c | sort -r awk '($9 ~ /404/)' /var/log/httpd/domains/*log | awk -F\" '($2 ~ "^GET .*\.php")' | awk '{print $7}' | sort | uniq -c | sort -r | head -n 20 awk -F\" '{print $2}' /var/log/httpd/access_log | awk '{print $2}' | sort | uniq -c | sort -r cat /var/log/httpd/access_log | grep -E "wp-admin|wp-login|POST /" | awk '{print $1 "\t" $7}' grep '((eval.*(base64_decode|gzinflate|\$_))|\$[0O]{4,}|FilesMan|JGF1dGhfc|IIIl|die\(PHP_OS|posix_getpwuid|Array\(base64_decode|document\.write\("\\u00|sh(3(ll|11)))' /home -lroE --include=*.php* grep 'eval\(stripslashes\(\$_REQUEST' /home -lroE --include=*.php* grep 'eval\(\$_POST' /home -lroE --include=*.php* grep 'shell_exec' /home -lroE --include=*.php* grep 'if\(isset\(\$_REQUEST\[\$post_var' /home -lroE --include=*.php* grep "eval" /home -lroE --include=*.ico* find /home/ -name "*".php -type f -print0 | xargs -0 grep "create_function" | grep "base" | grep "COOKIE" --color find /home/ -name "*".php -type f -print0 | xargs -0 grep "exit" | grep "eval" | grep "GLOBALS" --color find /home/ -name "*".php -type f -print0 | xargs -0 grep "isset" | grep "eval" | grep "strtoupper" --color grep -R -rnw '/var/log/httpd/domains/omranifard.com.log' -e "sqatrhjf.php" | cut -d ":" -f 2 | cut -d " " -f 1 find /home/ -name "*".php -type f -print0 | xargs -0 grep r57 | uniq -c | sort -u | cut -d":" -f1 | awk '{print "rm -rf " $2}' | uniq find /home/ -name "*".php -type f -print0 | xargs -0 grep c99 | uniq -c | sort -u | cut -d":" -f1 | awk '{print "rm -rf " $2}' | uniq grep 'create_function|base64_decode' /home -lroE --include=*.php* grep -E 'char|nchar|varchar|nvarchar|alter|begin|cast|create|cursor|declare|delete|drop|end|exec|execute|fetch|insert|kill|open|select|sys|sysobjects|syscolumns|table|update' /var/log/httpd/access_lo*