HEX
Server: nginx/1.18.0
System: Linux vps-9dcdb12e 5.15.0-176-generic #186-Ubuntu SMP Fri Mar 13 11:01:42 UTC 2026 x86_64
User: ubuntu (1000)
PHP: 8.1.2-1ubuntu2.24
Disabled: exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
$ pwd: /tmp/
Upload Files
File: //tmp/fullscan.sh
#!/bin/bash
# arg1 = base path domen (np /home/srv48113/domains lub /var/www)
# arg2 = nazwa serwera
BASE="$1"; SRV="$2"
echo "############ MALWARE SCAN: $SRV ($BASE) ############"
echo ""

echo "=== [1] Loadery GitHub ressasantikaa/newphp86 (ultra-builder, Aksismet, kakek, yellow) ==="
grep -rliE "ressasantikaa|newphp86|raw\.githubusercontent\.com/[a-z]*/[a-z0-9]*php" $BASE/*/public_html/wp-content $BASE/*/wp-content 2>/dev/null | head -40
echo "--- liczba: $(grep -rliE 'ressasantikaa|newphp86' $BASE/*/public_html/wp-content $BASE/*/wp-content 2>/dev/null | wc -l)"
echo ""

echo "=== [2] mu-plugins backdoory (ultra-builder-live, test-mu-plugin, site-compat, index.php >200B) ==="
find $BASE/*/public_html/wp-content/mu-plugins $BASE/*/wp-content/mu-plugins -maxdepth 1 -name "*.php" 2>/dev/null | while read f; do
  bn=$(basename "$f")
  s=$(stat -c '%s' "$f" 2>/dev/null)
  if [ "$bn" != "automation-by-installatron.php" ]; then
    if [ "$bn" = "index.php" ] && [ "$s" -gt 200 ]; then echo "$f (index $s B)"; 
    elif [ "$bn" != "index.php" ]; then echo "$f ($bn $s B)"; fi
  fi
done | head -40
echo ""

echo "=== [3] Zainfekowane functions.php motywu (the_content_base / md5(sha1 HTTP_HOST) / file_get_contents remote+echo) ==="
grep -rliE "the_content_base|md5\(sha1\(.\\$_SERVER|file_get_contents\(.https?://[^\)]*\)\;.{0,20}echo" $BASE/*/public_html/wp-content/themes/*/functions.php $BASE/*/wp-content/themes/*/functions.php 2>/dev/null | sed -E 's#.*/(domains|www)/([^/]+)/.*#\2#' | sort -u | head -40
echo ""

echo "=== [4] Katalogi malware w root (index.php z bagaimanaa/pages.dev/BANDOT/NAGAHOKI/casino-spam) ==="
grep -rliE "bagaimanaa|pages\.dev|NAGAHOKI|BANDOT|slot gacor|Situs Slot" $BASE/*/public_html $BASE/*/wp-content 2>/dev/null | grep -vE "/wp-content/(plugins|themes)/|/wp-includes/|/cache/" | sed -E 's#.*/(domains|www)/([^/]+)/.*#\2#' | sort | uniq -c | sort -rn | head -30
echo ""

echo "=== [5] Plik weryfikacyjny Google (Search Console hijack) ==="
ls $BASE/*/public_html/google*.html $BASE/*/google*.html 2>/dev/null | head -30
echo ""

echo "=== [6] Loadery remote w root index.php (cardquest typ: eval str_rot13/base64 + filestack/pages.dev) ==="
grep -rliE "eval\(.*str_rot13|eval\(gzinflate|filestack\.live|forum-integritas|officialsite\.txt" $BASE/*/public_html/index.php $BASE/*/index.php 2>/dev/null | head -30
echo ""

echo "=== [7] Fałszywe wtyczki (literówki: Aksismet, podszywanie) ==="
ls -d $BASE/*/public_html/wp-content/plugins/Aksismet* $BASE/*/wp-content/plugins/Aksismet* 2>/dev/null | head -20
ls -d $BASE/*/public_html/wp-content/plugins/*-Pro $BASE/*/wp-content/plugins/*-Pro 2>/dev/null | grep -viE "elementor-pro|seedprod" | head -20
echo ""

echo "=== [8] crows/falls backdoory wp-admin ==="
find $BASE/*/public_html/wp-admin $BASE/*/wp-admin -maxdepth 1 -type d 2>/dev/null | grep -E "/(crows|falls|raven|hawk)" | head -20
echo ""

echo "DONE_$SRV"
@ Telegram