HEX
Server: nginx/1.18.0
System: Linux vps-9dcdb12e 5.15.0-176-generic #186-Ubuntu SMP Fri Mar 13 11:01:42 UTC 2026 x86_64
User: ubuntu (1000)
PHP: 8.1.2-1ubuntu2.24
Disabled: exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
$ pwd: /tmp/
Upload Files
File: //tmp/malware_hunt.sh
#!/bin/bash
echo "=== POLOWANIE NA MALWARE OVH $(date 2>/dev/null) ==="
echo ""
echo "### 1. TINY FILE MANAGER (web file manager RCE) ###"
sudo grep -rliE "Tiny File Manager|tinyfilemanager|H3K" /var/www/*/wp-content /var/www/*/wp-admin /var/www/*/wp-includes 2>/dev/null > /tmp/m_filemanager.txt
echo "Plików: $(wc -l < /tmp/m_filemanager.txt)"
echo "Domen: $(sed -E 's#/var/www/([^/]+)/.*#\1#' /tmp/m_filemanager.txt | sort -u | wc -l)"
cat /tmp/m_filemanager.txt | head -40
echo ""
echo "### 2. WEB SHELLE / eval-RCE (eval z _POST/_GET/_REQUEST/_SERVER, system, shell_exec) ###"
sudo grep -rliE "eval\(\\$_(POST|GET|REQUEST|SERVER|COOKIE)|assert\(\\$_|system\(\\$_|shell_exec\(\\$_|passthru\(\\$_|\\$_(POST|GET|REQUEST)\[[^]]*\]\(\)" /var/www/*/wp-content 2>/dev/null > /tmp/m_shells.txt
echo "Plików: $(wc -l < /tmp/m_shells.txt)"
cat /tmp/m_shells.txt | head -30
echo ""
echo "### 3. ZACIEMNIONE LOADERY (eval(base64/gzinflate/str_rot13)) ###"
sudo grep -rliE "eval\(.{0,30}(base64_decode|gzinflate|str_rot13|gzuncompress)" /var/www/*/wp-content /var/www/*/index.php /var/www/*/wp-config.php 2>/dev/null > /tmp/m_obfusc.txt
echo "Plików: $(wc -l < /tmp/m_obfusc.txt)"
cat /tmp/m_obfusc.txt | head -30
echo ""
echo "### 4. PODMIENIONY TYTUL NA KASYNO (vavada/kasyno injection w plikach) ###"
sudo grep -rliE "Kasyno Vavada|Oficjalnym Kasynie|Witamy w Oficjaln|vavada" /var/www/*/wp-content /var/www/*/wp-includes 2>/dev/null > /tmp/m_casino.txt
echo "Plików: $(wc -l < /tmp/m_casino.txt)"
cat /tmp/m_casino.txt | head -20
echo ""
echo "### 5. PLIKI IMMUTABLE (chattr +i - backdoor chroni przed usunieciem) ###"
cnt=0
for f in $(sudo find /var/www/*/wp-content /var/www/*/wp-admin -name "*.php" 2>/dev/null); do
  sudo lsattr "$f" 2>/dev/null | grep -qE '^....i' && { echo "$f"; cnt=$((cnt+1)); }
  [ $cnt -ge 30 ] && break
done > /tmp/m_immutable.txt
echo "Immutable plików (próbka): $(wc -l < /tmp/m_immutable.txt)"
cat /tmp/m_immutable.txt | head -20
echo ""
echo "### 6. PODEJRZANE PLIKI w wp-admin (poza standardem: crows, falls, fox, itp) ###"
sudo find /var/www/*/wp-admin -maxdepth 1 -type d 2>/dev/null | grep -vE "/(wp-admin|css|js|images|includes|network|user|maint)$" > /tmp/m_wpadmin.txt
echo "Niestandardowych katalogów wp-admin: $(wc -l < /tmp/m_wpadmin.txt)"
cat /tmp/m_wpadmin.txt | head -20
echo ""
echo "MALWARE_HUNT_DONE"
@ Telegram