HEX
Server: LiteSpeed
System: Linux premium140.web-hosting.com 4.18.0-553.89.1.lve.el8.x86_64 #1 SMP Wed Dec 10 13:58:50 UTC 2025 x86_64
User: ukqcurpj (1011)
PHP: 8.1.34
Disabled: NONE
$ pwd: /home/ukqcurpj/
Upload Files
File: /home/ukqcurpj/deep_malware_scan.sh
#!/bin/bash
# DEEP MALWARE SCAN VIA SSH
# Run this script on your server to find all malware

echo "========================================="
echo "DEEP MALWARE SCAN"
echo "========================================="
echo ""

# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color

HOME_DIR="/home/ukqcurpj"

echo -e "${YELLOW}[1] Finding recently modified PHP files (last 7 days)...${NC}"
echo ""
find "$HOME_DIR" -name "*.php" -mtime -7 -type f 2>/dev/null | grep -v ".cpanel" | head -50
echo ""

echo -e "${YELLOW}[2] Searching for files with malware signatures...${NC}"
echo ""
echo "Files containing 'eval(base64_decode':"
grep -r "eval.*base64_decode" "$HOME_DIR" --include="*.php" -l 2>/dev/null | grep -v ".cpanel" | head -20
echo ""

echo "Files containing 'file_put_contents.*index.php':"
grep -r "file_put_contents.*index\.php" "$HOME_DIR" --include="*.php" -l 2>/dev/null | head -20
echo ""

echo "Files containing 'eval(\$_POST' or 'eval(\$_GET':"
grep -r "eval.*\$_\(POST\|GET\)" "$HOME_DIR" --include="*.php" -l 2>/dev/null | head -20
echo ""

echo -e "${YELLOW}[3] Checking index.php file sizes...${NC}"
echo ""
for site in public_html gmexperts.org innovativegenerations.org; do
    if [ -f "$HOME_DIR/$site/index.php" ]; then
        SIZE=$(stat -f%z "$HOME_DIR/$site/index.php" 2>/dev/null || stat -c%s "$HOME_DIR/$site/index.php" 2>/dev/null)
        if [ "$SIZE" -gt 1000 ]; then
            echo -e "${RED}INFECTED: $site/index.php ($SIZE bytes)${NC}"
        else
            echo -e "${GREEN}CLEAN: $site/index.php ($SIZE bytes)${NC}"
        fi
    fi
done
echo ""

echo -e "${YELLOW}[4] Checking for suspicious cron jobs...${NC}"
echo ""
crontab -l 2>/dev/null | grep -v "^#" | grep "php\|curl\|wget"
echo ""

echo -e "${YELLOW}[5] Finding all PHP files in wp-content (non-plugin/theme)...${NC}"
echo ""
for site in public_html gmexperts.org innovativegenerations.org; do
    if [ -d "$HOME_DIR/$site/wp-content" ]; then
        echo "Checking $site/wp-content:"
        find "$HOME_DIR/$site/wp-content" -maxdepth 1 -name "*.php" -type f 2>/dev/null | while read file; do
            basename "$file"
        done
    fi
done
echo ""

echo -e "${YELLOW}[6] Checking for auto_prepend_file in .user.ini or php.ini...${NC}"
echo ""
find "$HOME_DIR" -name ".user.ini" -o -name "php.ini" 2>/dev/null | while read file; do
    echo "File: $file"
    grep -i "auto_prepend\|auto_append" "$file" 2>/dev/null
done
echo ""

echo "========================================="
echo "SCAN COMPLETE"
echo "========================================="
echo ""
echo "NEXT STEPS:"
echo "1. Review the output above"
echo "2. Any files with malware signatures should be deleted"
echo "3. Any index.php files marked INFECTED need to be cleaned"
echo ""
@ Telegram