Find PHP exploits

PHP

 

How to grep for possible php exploits in plesk
grep ‘((eval.*(base64_decode|gzinflate))|$[0O]{4,}|(x[0-9a-fA-F]{2}){8,}|FilesMan|JGF1dGhfc|document.write(“u00|sh(3(ll|11)))’ /var/www/vhosts/*/httpdocs/ -rnoE –include=*.php* >> /tmp/possible_bad_files

grep ‘((eval.*(base64_decode|gzinflate))|$[0O]{4,}|(x[0-9a-fA-F]{2}){8,}|FilesMan|JGF1dGhfc|document.write(“u00|sh(3(ll|11)))’ /var/www/vhosts/*/subdomains/*/httpdocs/ -rnoE –include=*.php* >> /tmp/possible_bad_files

then just go through /tmp/possible_bad_files to see if anything is really bad.

todo: expand this to search for preg_replace with /e modifiers

881 total views, 1 views today

Print Friendly