HEX
Server: nginx/1.18.0
System: Linux vps-9dcdb12e 5.15.0-176-generic #186-Ubuntu SMP Fri Mar 13 11:01:42 UTC 2026 x86_64
User: ubuntu (1000)
PHP: 8.1.2-1ubuntu2.24
Disabled: exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
$ pwd: /tmp/
Upload Files
File: //tmp/sharp.sh
#!/bin/bash
BASE="$1"; SRV="$2"
echo "### SHARP SCAN $SRV ###"
echo ""
echo "## A] ressasantikaa loader (ultra-builder/Aksismet/kakek) - tylko PHP, nie xml/wpress ##"
grep -rliE "ressasantikaa|githubusercontent\.com/[a-z]+/newphp" $BASE/*/public_html/wp-content $BASE/*/wp-content --include="*.php" 2>/dev/null | head -30
echo ""
echo "## B] bagaimanaa/pages.dev/BANDOT/NAGAHOKI (katalogi malware) - tylko PHP ##"
grep -rliE "bagaimanaa|\.pages\.dev|NAGAHOKI|BANDOT" $BASE/*/public_html $BASE/*/wp-content --include="*.php" 2>/dev/null | grep -vE "/wp-content/(plugins|themes)/[^/]+/(vendor|node_modules|assets)/" | sed -E 's#.*/(domains|www)/([^/]+)/.*#\2#' | sort -u | head -30
echo ""
echo "## C] forum-integritas / officialsite.txt / file_get_contents+echo loader w motywach ##"
grep -rliE "forum-integritas|officialsite\.txt" $BASE/*/public_html/wp-content $BASE/*/wp-content --include="*.php" 2>/dev/null | head -20
echo ""
echo "## D] the_content_base / md5(sha1(HTTP_HOST)) w functions.php motywu ##"
grep -rliE "function the_content_base|md5\(sha1\(\\$_SERVER\['HTTP_HOST'\]\)\)" $BASE/*/public_html/wp-content/themes/*/functions.php $BASE/*/wp-content/themes/*/functions.php 2>/dev/null | sed -E 's#.*/(domains|www)/([^/]+)/.*#\2#' | sort -u | head -30
echo ""
echo "## E] eval(file_get_contents/curl remote) loader w motywie functions/header ##"
grep -rlE "echo \\$contents|file_get_contents\(\\$url\)" $BASE/*/public_html/wp-content/themes/*/functions.php $BASE/*/public_html/wp-content/themes/*/header.php $BASE/*/wp-content/themes/*/functions.php $BASE/*/wp-content/themes/*/header.php 2>/dev/null | sed -E 's#.*/(domains|www)/([^/]+)/.*#\2#' | sort -u | head -20
echo ""
echo "## F] Pliki google-verif (Search Console hijack) ##"
ls $BASE/*/public_html/google*.html $BASE/*/google*.html 2>/dev/null | sed -E 's#.*/(domains|www)/([^/]+)/.*#\2#' | sort -u | head -30
echo ""
echo "## G] root index.php loader (eval str_rot13/gzinflate/filestack) ##"
grep -rlE "eval\(.{0,20}str_rot13|eval\(gzinflate|filestack\.live" $BASE/*/public_html/index.php $BASE/*/index.php 2>/dev/null | sed -E 's#.*/(domains|www)/([^/]+)/.*#\2#' | sort -u | head -20
echo ""
echo "DONE_SHARP_$SRV"
@ Telegram