#!/bin/bash
# 可自訂掃描目錄,預設掃描 /var/www
SCAN_PATH="${1:-/var/www}"
echo "🔍 掃描目錄:$SCAN_PATH"
echo "-------------------------------------------"
# 常見 PHP 木馬語法關鍵字
PATTERNS=(
"eval(base64_decode"
"assert(base64_decode"
"create_function(base64_decode"
"preg_replace(.*/e.*,base64_decode"
"eval(gzinflate(base64_decode"
"eval(gzuncompress(base64_decode"
"php://input"
"system("
"shell_exec("
"exec("
"popen("
"proc_open("
"assert("
"base64_decode("
"gzinflate("
"gzuncompress("
"str_rot13("
"ob_start("
"passthru("
)
for pattern in "${PATTERNS[@]}"; do
echo -e "\n🧨 搜尋關鍵字:$pattern"
grep -Ri --include="*.php" "$pattern" "$SCAN_PATH"
done
echo -e "\n✅ 掃描完成,如有發現異常請進一步檢查檔案內容。"
PS. 掃到的不見得真的是異常檔,也要看此檔實際的應用