Current File : //root/scan.static.dir.sh

tmp_file=`/bin/mktemp`
outtmp_file=`/bin/mktemp`
: > $outtmp_file


echo "Scanning only the file names with eval" ;
tfile=`mktemp` ;
echo "Temp file name is $tfile" ;
find $1 -name "*.php"  | xargs grep "eval *(" > $tfile

cat $tfile | while read lin
do
    f=`echo $lin | cut -d':' -f1`
    len=`/usr/bin/wc -L $f | cut -d" " -f1`

#    if [ $len -gt 500 ]
 #   then
        echo $f >> $outtmp_file
  #  fi
done


echo "Temp File name is $tmp_file" ;
echo "Out Temp File name is $outtmp_file" ;

for var in "$@"
do

        dir=$var
        echo "Scanning dir $var" ;

        find $dir -path "*/image" -type d >> $tmp_file
        echo "image done" ;

        find $dir -path "*/img" -type d >> $tmp_file
        echo "img done" ;

        find $dir -path "*/images" -type d >> $tmp_file
        echo "images done" ;

        find $dir -path "*/css" -type d >> $tmp_file
        echo "css done" ;

        find $dir -path "*/js" -type d >> $tmp_file
        echo "js done" ;

        find $dir -path "*/upload" -type d >> $tmp_file
        echo "upload done" ;

        find $dir -path "*/uploads" -type d >> $tmp_file
        echo "uploads done" ;

        find $dir -path "*/script" -type d >> $tmp_file
        echo "script done" ;

        find $dir -path "*/scripts" -type d >> $tmp_file
        echo "scripts done" ;

done

for i in `cat $tmp_file`
do
        find $i -name "*.php" | xargs grep "eval *(" -l >> $outtmp_file
done

fsize=$(wc -c $outtmp_file | cut -f 1 -d ' ')
if [ $fsize -lt 1 ]; then
    echo "There is no hacked file, ensure to change the pattern and try again" ;
    exit;
fi

echo "Before the loop" ;

#find all the preg_replace with /e flag, which is used to replace and execute php code
#find $1 -type f -name '*.php' | xargs egrep -l "preg_replace *\((['|\"])(.).*\2[a-z]*e[^\1]*\1 *," >> $outtmp_file

for f in `cat $outtmp_file`
do

	own=`stat -c '%U' $f`
    echo "Owner is $own" ;

    if [ -f $f ];
    then
        fsize=$(wc -c "$f" | cut -f 1 -d ' ')
    else
       continue ;
    fi

    echo "File size is $fsize" ;

    head -n 35 $f
    echo "-------------------------------------------------------------------------------------------------------------" ;

    egrep -m 1 '(Mandrill_Messages|wordpress.org|WordPress|SimplePie|wordfenceConstants.php|Moxiecode|Logan Cai|jQuery|tcpdf.php|qrcode.php|Smarty|pear.php.net|module.audio.mp3.php|lesscss.org|Yadis|LinkedIn|Joomla)' $f
    if [ $? -eq 0 ]
    then
        echo "***************************************** This may not be the SPAM file: $f **********************************************  "  ;
		sleep 1
        continue ;
    fi

    echo "File name $f " ;
    read -p "0 - nothing, 1 - To repair first line: 2 - delete , 3 - change perm 000 , 4 - vim  5 -less  " RESP

    case $RESP in
        0)

        ;;

        1)
            sed -i '1d' $f ;
            echo "<?php " > /tmp/newtmp.txt
            cat $f >> /tmp/newtmp.txt
            mv  /tmp/newtmp.txt $f
            chown $own:$own $f
        ;;

        2)
            rm -v $f
        ;;

        3)
            chmod 000 $f
        ;;
        4)
            /usr/bin/vim $f
            read -p "1 - To repair first line: 2 - delete , 3 - change perm 000 , 4 - vim , 5 - ls" RESP
            case $RESP in
            1)
                sed -i '1d' $f ;  echo "<?php " > /tmp/newtmp.txt ;  cat $f >> /tmp/newtmp.txt; mv  /tmp/newtmp.txt $f ; chown $own:$own $f ;   ;;

            2) rm -v $f ;;

            3) chmod 000 $f   ;;

            5) ls -lh  $f ;;
            esac
        ;;

        5)
            less $f
            ;;

        *) echo "doign nothing" ;
    esac

    clear
done