#!/bin/sh
find ~/public_html/ -type f -size -2M -print0 | perl -0 -wn -e '-T and print;'| xargs -0 md5sum 2>/dev/null | egrep 'abfd058cc7a00811e3ed37a37b3c3aa4|67b43b52853107b0fa083d051d5b893a|5139a288dec0180a7032c8f15352a243|47cf30c0c2dd76c11bdccbd75bca6ad1|a1e4ec018b64e1b760afee463aaff8e5|2a231c03d96c5f402c6c17055f98bacc|fb55fc091b15eae97ce88d62f9031335|472326198ea932b91fb0606d3bb6532e|b9b03ad7e7ab4dbc2ee1694ec4b725805cbd0abd36545fde3be014c5ee45510b|38646c8e169039f95d963988e0d1eccb|fdd6fd79b889ecb9fb8444d4735d0953|27c0d1ac21f5ee32074d1f7294ebaca8|e510da1d9e1387ebe3daee2b38ede0b9|fc34b4417b2bd5da9e19cbb2abb30822|4508117ed6fac141c430ce010ceb4275|7a88f7b61bb0a8d3ff78f6e674946132' | cut -d ' ' -f3-
find ~/public_html ! -iname mce_langs.php ! -wholename '*smallbiz\/functions.php' ! -wholename '*geshi\/php\.php' ! -wholename '*ose-firewall*' ! -wholename '*bulletproof-security*' ! -wholename '*all-in-one-wp-security-and-firewall*' ! -wholename '*all-in-one-seo-pack*' ! -iname statpress.php ! -wholename "*wordfence*" ! -wholename '*Zend*' ! -iname contact_form.php ! -iname class*phpmailer.php ! -iname class-ftp.php ! -iname pluggable.php ! -iwholename '*sexybookmarks*' ! -iwholename '*Excel2007*' ! -iname phpFlickr.php ! -iname avatar.php ! -iname importbuddy.php ! -iname template-contact.php ! -iname layerslider.php ! -iname sitemap-core.php ! -iname admin-functions.php ! -iname contact_page.php ! -iname ajax-actions.php ! -iname wp-migrate-db.php ! -iname page_post_redirect_plugin.php ! -wholename '*akismet*'  ! -iname pre-header.inc.php ! -iname picasa.php ! -iname fbsystem.php ! -iname renderprocess.php ! -iname "debug.php" ! -iname '*sh404SEF*' ! -wholename "*shareaholic*" ! -wholename "*avreloaded*" ! -iname '*.csv' ! -iname template-redirect.php ! -iname "web.php" ! -iname "application.php"  ! -iname "*.xml" ! -iname "*.js" -type f -size -2M -print0 | perl -0 -wn -e '-T and print;' |  xargs -0 egrep -Hli 'meta\ http\-equiv\=\"refresh|bar\/index|empty(m1|a2).gif|146\.185\.220\.75|yellowwhale\.pw|'bas\'\.\'e64\'\.\'_de\'\.\'co\'\.\'de'|IGlmICggaX|\\x66\\x6.*\\x72|base.*32\*2|\\x4.*\\x4..\\x4.|333333338896|\$_POST.*tp2|gjwqweodsa|eF7lff1X27jS8M97z7n\/g\/Fm6|\\x65\\166\\x61|share-with\-me\.info|GIFSTORIES|md5\(0987654321|location\.replace.*google\.com\/search.*facebook|base64_decode.\$_POST|\$message.=.\$_POST|md5.\$_COOKIE|ZXZhbChiYXNlN|form\ method.*POST.*action.*enctype.*multipart\/form-data.*input\ type.*file.*name.*image.*input\ type.*Submit.*name.*Submit.*value.*Submit|header\(\"\Location\:\ http|jeleeekk|eval.\$_POST|extract.\$_COOKIE|\@\$GLOBALS.*continue|\$v2045f746|fopo\.com.\ar|\$cookieData\=\$_COOKIE|nwolb\.com|z\.txt|\$chmod_name|\$wp\=stripslashes|phpinfo\(\)\;die|eval.stripslashes.\@\$_POST|eval.base64_decode.\$_REQUEST|binushacker|\$passwordhash|\$_REQUEST.*eval.base64_decode.*\$_REQUEST|\$_REQUEST.*stripslashes.*\$_REQUEST.*\$_REQUEST|payday\ l0an|Elastic\ Search|JoKeR_StEx|if.*str4.index|\$password.*\=.*123|tds.go.php|\$message.*stripslashes.\$_POST|googlebot\|msnbot\|indexer|filesman|\$botnet|\$botId|46\.32\.226\.132|cHJlZ19yZXBsYWNlKCIvZ1|message.\$_POST.*data|x1.\\x2.\\x15|\$_COOKIE.*\$path.*\$_COOKIE|tVh7c9rWEv\/bnbnfQ|iframe\ name\=Twitter|\\x6.\\x6.\\x6|taufiquzzaman|BANGLADESH\ CYBER\ ARMY|\$dork|WEB\ Shell|\$_COOKIE.*substr.*\$_COOKIE|\\x64\\x69\\x73|\$.*strtolower.*strtoupper.*eval|pRlrb9s48nMOuP|public\ function\ base|var\ haystack|var\ needle|gethostbyaddr|var\ expolit|\$mx_links|mx_callback|ZWNobyAnPHRpdG|rUl6QuNTEP5cfsWy|FJ23lqvYFlJ\/pccb|\$jembot|AKYGWflpZiAoIWlzc2V0KCR|7L0HYBxJliUmL23Ke|pRlrc9o69nN2Zv\+Dyrg|m800\|e860\|u940|wp_na_timezone_override|wp_ypb_check_mysql_version|wp_ac_remote_retrieve_header|var\ resiser|var\ team|forms\.aweber\.com|echo.\@eval|Upload\ GAGAL|Upload\ SUKSES|xxx.*tube\.com|\$isbot|realpath.*\$_POST.*\$_POST.*urldecode|oooo0o00o0o0o0o0o0|xdos\.s|Branch_directory|jquery\-cdn\.com|while\ \(\$this\-\>recipients|medicalrxwebmart|herbalrxsupply|7P12auLIsigMf65eq|Virulent\-ID|SEO\ Shell|vQUCpQTiRQUuR7a|aWYoIWZ1bmN0aW9u|rUl6QuNTEP5cJP7Dso|ZXJyb3Jfc|eJztvftb27jyOPw|return\ base64_decode.\$.*\;\}|UdpFlood|webr00t|turkishajan|\$file\=\@\$_COOKIE|122\.155\.168|DZZHDqwIEkTv0'
find ~/public_html -type f -wholename '*wp-content/\themes\/*\/download.php' -o -iname inf.htm -o -iname .sd0
echo
echo DONE