#!/bin/bash
BASE="$1"; SRV="$2"
echo "### FRESH MALWARE SCAN $SRV ###"
echo "## content-sync-helper / inj_ self-copy backdoor ##"
grep -rliE "function inj_|inj_sync_mu_plugin|@copy\(__FILE__.*WPMU_PLUGIN" $BASE/*/public_html/wp-content $BASE/*/wp-content --include="*.php" 2>/dev/null | sed -E 's#.*/(domains|www)/([^/]+)/.*#\2#' | sort -u | head -40
echo ""
echo "## slot gacor / .go.id / jp1131 injection w header.php/functions motywu ##"
grep -rliE "slot gacor|baritotimurkab|go\.id/.>slot|jp1131" $BASE/*/public_html/wp-content/themes/*/header.php $BASE/*/public_html/wp-content/themes/*/functions.php $BASE/*/wp-content/themes/*/header.php $BASE/*/wp-content/themes/*/functions.php 2>/dev/null | sed -E 's#.*/(domains|www)/([^/]+)/.*#\2#' | sort -u | head -40
echo ""
echo "## advanced-linkflow fałszywe wtyczki ##"
ls -d $BASE/*/public_html/wp-content/plugins/advanced-linkflow* $BASE/*/wp-content/plugins/advanced-linkflow* 2>/dev/null | sed -E 's#.*/(domains|www)/([^/]+)/.*#\2#' | sort -u | head -20
echo ""
echo "## świeże PHP w themes (ostatnie 2 dni - dokładane backdoory) ##"
find $BASE/*/public_html/wp-content/themes $BASE/*/wp-content/themes -name "header.php" -mtime -2 2>/dev/null | sed -E 's#.*/(domains|www)/([^/]+)/.*#\2#' | sort -u | head -30
echo "DONE_FRESH_$SRV"