This is a block of bash script which checks files (php,phtml) for potential malware, this is by no means perfect and it will probably come up with a lot of false positives but it will give you a general idea of what is happening in your code.
Basically the script will check a folder for php/phtml files which use the following statements :
Usage:
./scan.sh /path/to/folder /path/to/outputFile
Save the following code as scan.sh and chmod +x scan.sh
#!/bin/bash
export doNotCheck={""};
function checkFile {
filename="${1##*/}";
if [[ "${doNotCheck[@]}" =~ "${filename}" ]]; then
echo "file ${filename} was excluded from the check";
else
if grep -iFq "eval(" $1
then
matchPart=$(cat $1 | grep -sn "eval(");
logFile $1 $2 'Found eval usage' "${matchPart}";
else
if grep -iFq "mysql_query($_" $1
then
matchPart=$(cat $1 | grep -sn "mysql_query(\$\_");
logFile $1 $2 'Found mysql_query with request param' "${matchPart}";
else
if grep -iFq "include($_" $1
then
matchPart=$(cat $1 | grep -sn "include(\$\_");
logFile $1 $2 'Found remote file include' "${matchPart}";
else
if grep -iFq "echo($_" $1
then
matchPart=$(cat $1 | grep -sn "echo(\$\_");
logFile $1 $2 'Found echo of request param' "${matchPart}";
else
if grep -iFq "print_r($_" $1
then
matchPart=$(cat $1 | grep -sn "print_r(\$\_");
logFile $1 $2 'Found print_r of request param' "${matchPart}";
else
if grep -iFq "REMOTE_ADDR" $1
then
matchPart=$(cat $1 | grep -sn "REMOTE_ADDR");
logFile $1 $2 'Found IP check' "${matchPart}";
fi
fi
fi
fi
fi
fi
fi
}
function logFile {
echo "${3} - ${1} - Line: ${4}" >> $2
}
find $1 -type f -iname '*.php*' -print0 |
while IFS= read -r -d '' f;
do
checkFile $f $2
done
find $1 -type f -iname '*.phtml' -print0 |
while IFS= read -r -d '' f;
do
checkFile $f $2
done
Whether you want to just say `Hi` or discuss a project or an idea, drop me a line and I will get back to you as soon as possible.