File: //tmp/scan_brutals_type.sh
#!/bin/bash
echo "=== SKAN: backdoor typu brutals na OVH ==="
echo ""
echo "### 1. mu-plugins/index.php > 200B (backdoor loader) ###"
sudo find /var/www/*/wp-content/mu-plugins -maxdepth 1 -name "index.php" 2>/dev/null | while read f; do
s=$(sudo stat -c '%s' "$f" 2>/dev/null)
[ "$s" -gt 200 ] && echo "$(echo $f|sed -E 's#/var/www/([^/]+)/.*#\1#') ($s B)"
done > /tmp/r1.txt
echo "Domen: $(wc -l < /tmp/r1.txt)"
cat /tmp/r1.txt | head -40
echo ""
echo "### 2. functions.php motywu z backdoorem (the_content_base / md5(sha1 HTTP_HOST) / pre_get_posts inject) ###"
sudo grep -rliE "md5\(sha1\(\\$_SERVER\['HTTP_HOST'\]\)\)|the_content_base|function the_content_base" /var/www/*/wp-content/themes/*/functions.php 2>/dev/null > /tmp/r2_full.txt
sed -E 's#/var/www/([^/]+)/.*#\1#' /tmp/r2_full.txt | sort -u > /tmp/r2.txt
echo "Domen z zainfekowanym motywem: $(wc -l < /tmp/r2.txt)"
cat /tmp/r2.txt | head -50
echo ""
echo "### 3. Szerszy wzorzec zainfekowanych motywow (get_option(md5( lub _e_stack lub _SERVER HTTP_HOST w functions) ###"
sudo grep -rliE "_e_stack|get_option\(md5\(|unserialize\(base64_decode\(\\$settings" /var/www/*/wp-content/themes/*/functions.php 2>/dev/null | sed -E 's#/var/www/([^/]+)/.*#\1#' | sort -u > /tmp/r3.txt
echo "Domen (szerszy wzorzec): $(wc -l < /tmp/r3.txt)"
cat /tmp/r3.txt | head -50
echo ""
echo "SCAN_DONE"