Finding PHP shell scripts and PHP exploits

Exploits love to hide their evil code using random combination’s of base64_encode, gzdeflate, ect. Although you’re going to get plenty of false positives using this method, by using common sense and this simple command you can weed out most popular exploits which are either standalone files or embedded into existing files. I sometimes update this when I find new exploits so check back.

Replace the path below (.) with the absolute path of the directory you want to recursively scan. For example, you could recursively scan from the working directory:

grep '((eval.*(base64_decode|gzinflate|\$_))|\$[0O]{4,}|FilesMan|GLOBALS.*exit|JGF1dGhfc|IIIl|die\(PHP_OS|posix_getpwuid|Array\(base64_decode|document\.write\("\\u00|sh(3(ll|11)))' . -lroE --include=*.php*

Path to replace . which will all public-facing web folders on a Cpanel box:

/home/*/public_html/

Don’t forget something as simple as ‘clamscan’ (if you’ve got ClamAV installed) can also find some PHP shells. Replace the path below with the absolute path of the directory you want to recursively scan. For example, you could scan all public HTML folders on a Cpanel server for various exploits and certain phishing sites:

nice -n 19 clamscan /home/*/public_html -r -i | grep " FOUND"

3 Responses to Finding PHP shell scripts and PHP exploits

  1. […] the simple option of clamscam is a great way to find exploits http://djlab.com/2010/09/finding-php-shell-scripts-and-php-exploits/ – you may need to install clamav for […]

  2. alert(1) says:

    alert(1)