How to find PHP Shell on your server

In most of the hacking or defacing the most common tool used is PHP Shell. If you scan your server regularly for php shell and delete them you can avoid many hacking and defacing attempt on your server.

#!/bin/bash
#Scanning all users directory for various php shell
# Below command is one line so see that its one line in your script or else it will generate error

echo “No PHP Shell was Found” > /root/scan.txt
/bin/egrep “cgitelnet|webadmin|PHPShell|tryag|r57shell|c99shell|noexecshell|/etc/passwd|revengans|myshellexec” /home/*/public_html -R | cut -d: -f1 | uniq > /root/scan.txt

/bin/cat /root/scan.txt | mail -s “PHP Shell Scan” user@domain.com

#Replace your email address above

#Cron Settings
# 0 6 * * * PATH TO SCRIPT

The above script is a very simple shell script which will scan all public_html directories of all cpanel accounts for various php shell. Then the script will mail you the locations of PHP Shell. You can set cron for this script to run once a day. If you check the code I have added a cron for it which you can use which will execute the script on 6th hour daily

Advertisements
  1. thank you very much for this script, saved me some time!

    please note it might take up to several hours to run it on a large server with many users on it.

    • franx47
    • January 30th, 2013

    I joined your test parameters with other script I found on the net.

    $ grep ‘((eval.*(base64_decode|gzinflate))|\$[0O]{4,}|(\\x[0-9a-fA-F]{2}){8,}|cgitelnet|webadmin|PHPShell|tryag|r57shell|c99shell|noexecshell|revengans|myshellexec|FilesMan|JGF1dGhfc|document\.write\(“\\u00|sh(3(ll|11)))’ . -roE –include=*.php*

    That will do scan all files in current directory + sub directories in it.

    Thanks.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: