daviddarke · December 2, 2025 15:55
diff --git a/scan_uploads.sh b/scan_uploads.sh
 #!/usr/bin/env bash
 #
 # Scan a WordPress uploads directory for suspicious files / code.
 #
 # Usage:
 #   bash scan_wp_uploads.sh /path/to/wp-content/uploads
 #   # or if run from WP root:
 #   bash scan_wp_uploads.sh wp-content/uploads
 #

 UPLOADS_DIR="${1:-wp-content/uploads}"

 if [ ! -d "$UPLOADS_DIR" ]; then
  echo "Directory not found: $UPLOADS_DIR" >&2
  exit 1
 fi

 echo "Scanning uploads directory: $UPLOADS_DIR"
 echo

 #############################
 # 1) Unexpected file types  #
 #############################

 # Common "safe" extensions in uploads (adjust for your site if needed)
 SAFE_EXT='\(jpg\|jpeg\|png\|gif\|webp\|svg\|bmp\|tiff\|ico\|pdf\|doc\|docx\|xls\|xlsx\|ppt\|pptx\|txt\|zip\|rar\|7z\|gz\|tar\|mp3\|wav\|ogg\|mp4\|mov\|avi\|mkv\|webm\)'

 echo "=== Files with NON-standard extensions (worth checking) ==="
 find "$UPLOADS_DIR" -type f ! -iregex ".*\.${SAFE_EXT}$" -print
 echo

 ##############################################
 # 2) Any PHP or executable scripts in uploads #
 ##############################################

 echo "=== PHP / script-like files in uploads (very suspicious) ==="
 find "$UPLOADS_DIR" -type f \( \
    -iname "*.php" -o -iname "*.php[0-9]" -o -iname "*.phtml" -o \
    -perm -u+x -o -perm -g+x -o -perm -o+x \
  \) -print
 echo

 ##########################################
 # 3) Malware-ish patterns inside any PHP #
 ##########################################

 echo "=== Grepping for suspicious PHP functions / patterns ==="

 # Find all PHP-like files (even if named .jpg, etc.) by content
 # This looks for PHP tags in ANY file
 PHP_LIKE_FILES=$(grep -RIl --include="*.php*" "<?php" "$UPLOADS_DIR" 2>/dev/null)

 # Also try to catch PHP inside wrong extensions (e.g. .jpg with PHP)
 PHP_IN_WRONG_EXT=$(grep -RIl "<?php" "$UPLOADS_DIR" 2>/dev/null)

 ALL_PHP_FILES=$(printf "%s\n%s\n" "$PHP_LIKE_FILES" "$PHP_IN_WRONG_EXT" | sort -u)

 if [ -z "$ALL_PHP_FILES" ]; then
  echo "No files with '<?php' found in uploads."
 else
  echo "Scanning the following files:"
  echo "$ALL_PHP_FILES"
  echo

  # Common malicious patterns (you can extend this list)
  PATTERN='base64_decode|gzinflate|str_rot13|eval *\(|assert *\(|shell_exec|system *\(|passthru|popen|proc_open|preg_replace *\(.*/e|curl_exec|fsockopen|stream_socket_client'

  echo "Matches for suspicious patterns:"
  echo "$ALL_PHP_FILES" | xargs -r grep -nE "$PATTERN" 2>/dev/null
 fi

 echo
 echo "Scan complete. Review the output above for anything unexpected."
	#!/usr/bin/env bash
	#
	# Scan a WordPress uploads directory for suspicious files / code.
	#
	# Usage:
	# bash scan_wp_uploads.sh /path/to/wp-content/uploads
	# # or if run from WP root:
	# bash scan_wp_uploads.sh wp-content/uploads
	#

	UPLOADS_DIR="${1:-wp-content/uploads}"

	if [ ! -d "$UPLOADS_DIR" ]; then
	echo "Directory not found: $UPLOADS_DIR" >&2
	exit 1
	fi

	echo "Scanning uploads directory: $UPLOADS_DIR"
	echo

	#############################
	# 1) Unexpected file types #
	#############################

	# Common "safe" extensions in uploads (adjust for your site if needed)
	SAFE_EXT='\(jpg\\|jpeg\\|png\\|gif\\|webp\\|svg\\|bmp\\|tiff\\|ico\\|pdf\\|doc\\|docx\\|xls\\|xlsx\\|ppt\\|pptx\\|txt\\|zip\\|rar\\|7z\\|gz\\|tar\\|mp3\\|wav\\|ogg\\|mp4\\|mov\\|avi\\|mkv\\|webm\)'

	echo "=== Files with NON-standard extensions (worth checking) ==="
	find "$UPLOADS_DIR" -type f ! -iregex ".*\.${SAFE_EXT}$" -print
	echo

	##############################################
	# 2) Any PHP or executable scripts in uploads #
	##############################################

	echo "=== PHP / script-like files in uploads (very suspicious) ==="
	find "$UPLOADS_DIR" -type f \( \
	-iname ".php" -o -iname ".php[0-9]" -o -iname "*.phtml" -o \
	-perm -u+x -o -perm -g+x -o -perm -o+x \
	\) -print
	echo

	##########################################
	# 3) Malware-ish patterns inside any PHP #
	##########################################

	echo "=== Grepping for suspicious PHP functions / patterns ==="

	# Find all PHP-like files (even if named .jpg, etc.) by content
	# This looks for PHP tags in ANY file
	PHP_LIKE_FILES=$(grep -RIl --include=".php" "<?php" "$UPLOADS_DIR" 2>/dev/null)

	# Also try to catch PHP inside wrong extensions (e.g. .jpg with PHP)
	PHP_IN_WRONG_EXT=$(grep -RIl "<?php" "$UPLOADS_DIR" 2>/dev/null)

	ALL_PHP_FILES=$(printf "%s\n%s\n" "$PHP_LIKE_FILES" "$PHP_IN_WRONG_EXT" \| sort -u)

	if [ -z "$ALL_PHP_FILES" ]; then
	echo "No files with '<?php' found in uploads."
	else
	echo "Scanning the following files:"
	echo "$ALL_PHP_FILES"
	echo

	# Common malicious patterns (you can extend this list)
	PATTERN='base64_decode\|gzinflate\|str_rot13\|eval \(\|assert \(\|shell_exec\|system \(\|passthru\|popen\|proc_open\|preg_replace \(.*/e\|curl_exec\|fsockopen\|stream_socket_client'

	echo "Matches for suspicious patterns:"
	echo "$ALL_PHP_FILES" \| xargs -r grep -nE "$PATTERN" 2>/dev/null
	fi

	echo
	echo "Scan complete. Review the output above for anything unexpected."
No results found