Find PHP exploits

How to grep for possible php exploits in plesk

grep ‘((eval.*(base64_decode|gzinflate))|$[0O]{4,}|(\x[0-9a-fA-F]{2}){8,}|FilesMan|JGF1dGhfc|document.write(“\u00|sh(3(ll|11)))’ /var/www/vhosts/*/httpdocs/ -rnoE –include=*.php* >> /tmp/possible_bad_files

grep ‘((eval.*(base64_decode|gzinflate))|$[0O]{4,}|(\x[0-9a-fA-F]{2}){8,}|FilesMan|JGF1dGhfc|document.write(“\u00|sh(3(ll|11)))’ /var/www/vhosts/*/subdomains/*/httpdocs/ -rnoE –include=*.php* >> /tmp/possible_bad_files

 

then just go through /tmp/possible_bad_files to see if anything is really bad.

todo: expand this to search for preg_replace with /e modifiers 

Leave a Reply

Your email address will not be published. Required fields are marked *