cd
ls -la
du -h /mail
du -h mail/
du -h mail/ | grep M
du -h mail/ | grep G
cd mail/
ls -la
cd cur/
ls -la
cd
du -hs mail/ | grep G
du -h mail/ | grep G
cd mail/
du -h mail/ | grep G
du -h | grep G
cd
cd mail/
ls -la
du -h baroni.com.br/tropical
la -la
cd cur/
cd ..
cd baroni.com.br
du -h
du -h | grep G
du -h | grep M
cd
ls -la
cd mail/
ls -la
cd cur/
ls- la
ls -la
cd ..
ls -lah
cd
cd mail/
ls -la
#1651587809
cd mail/
#1651587810
ls -la
#1651588137
cd baroni.com.br/
#1651588138
ls -la
#1651594863
cat .lastlogin 
#1651594869
ls -la
#1651594871
cd public_
#1651594873
cd public_html/
#1651594874
ls -la
#1651594884
less .htaccess 
#1651594902
find ~/public_html/ -type f -ctime -7 -name '*.php'
#1651594906
find ~/public_html/ -type f -ctime -30 -name '*.php'
#1651594911
find ~/public_html/ -type f -ctime -70 -name '*.php'
#1651594915
find ~/public_html/ -type f -ctime -120 -name '*.php'
#1651594931
find . -type f \( -iname \*.php -o -iname \*.sh -o -iname \*.pl -o -iname \*.ico \) | xargs egrep -sri "for\([$]i=0[;] [$]i < strlen\([$]|[$][A-Za-z0-9]{9}=\"base\" \. \"64_decode\";return [$][A-Za-z0-9]{9}\([$]|\.gzuncompress\(base64\_decode\(|[$]wp_auth_key=[']|if\(preg_match_all\([']\/[\][$]tmpcontent = @file_get_contents[\]\(|wp_temp_setupx\(|[$][a-z]{6} = [$]_POST\[['][a-z]{22,}[']\];|} elseif \(\([$]perms & 0xA000\) == 0xA000\) {|<title>{keyword}</title>|unset\([$]{[$]heakhtkd}|[$][A-Za-z0-9]{11} = chr\([0-9]{3,}\^[0-9]{3,}\)\.chr\([0-9]{3,}\^[0-9]{3,}\)\.chr\([0-9]{3,}\^[0-9]{3,}\)|Mass Deface|[$][a-z0-9A-Z]{11,} = \"[a-z0-9A-Z]{300}|\.pw\/xx\.php\?|WebShell|=[a-z0-9A-Z]{15,}\(['][0-9a-z]{55}|[\]x[0-9]{2}[\]x[0-9]{2}[\]x[0-9]{2}[\]x[0-9]{2}[\]x[0-9]{2}[\]x[0-9]{2}[\]x[0-9]{2}[\]x[0-9]{2}|eval\([$][0-9A-Za-z]{10}|go\.onclasrv\.com\/apu\.php\?|c99madshell|install_code = ['][A-Za-z0-9]{30}|Bypass Shell|gzinflate\(str_rot13|eval\(gzinflate\(base64_decode|eval\(gzuncompress\(base64_decode|x397\\\x2ei\\\x63o|\.pw\/code\.php|chmod \+x doc2|wp-trans\.|phpddos|} elseif \(\([$]perms & 0xA000\) == 0xA000\) {| WSO |Dark Shell|cutMixDDataLPrevE|b374k-shell|[']FilesMan[']|IndoXploit|Web PHP Shell|preg_replace|strtolower|strtoupper|str_replace|[$]GLOBALS|[$]V0mRd|die\(PHP_OS\.chr" | egrep -rsi "for\([$]i=0[;] [$]i < strlen\([$]|\.gzuncompress\(base64\_decode\(|if\(preg_match_all\([']\/[\][$]tmpcontent = @file_get_contents[\]\(| WSO |cutMixDDataLPrevE|b374k-shell|Web PHP Shell|shellbox123|<title>{keyword}</title>|\)\{eval|[$]affdom|eval[(][$]_POST|eval[/][*]|eval\(base64_decode\(|eval\(\(base64_decode\(|Dark Shell|[$]www=|=explode\(chr\(|IndoXploit|[']FilesMan[']|phpddos|wp-trans\.|WebShell|c99madshell|Bypass Shell|[$]install_code|chmod \+x doc2|[$][A-Za-z0-9]{9}=\"base\" \. \"64_decode\";return [$][A-Za-z0-9]{9}\([$]|[$]wp_auth_key=[']|\.pw\/code\.php|x397\\\x2ei\\\x63o|eval\(gzinflate\(|eval\(gzuncompress\(base64_decode|@[$]GLOBALS\[[$]GLOBALS\[['][a-zA-Z0-9]{7,}[']\]\[[0-9]{2,}\]\.[$]GLOBALS\[|gzinflate\(str_rot13|eval \(gzinflate\(base64_decode|onclasrv\.com|freegeoip\.net|broin\.top|eval\(eval\(|=[a-z0-9]{15}\(['][0-9a-z]{55}|\.pw\/xx\.php\?|[$][a-z0-9A-Z]{11,} = \"[a-z0-9A-Z]{300}|Mass Deface|unset\([$]{[$]heakhtkd}|wp_temp_setupx\(|[$][A-Za-z0-9]{11} = chr\([0-9]{3,}\^[0-9]{3,}\)\.chr\([0-9]{3,}\^[0-9]{3,}\)\.chr\([0-9]{3,}\^[0-9]{3,}\)|[$][a-z]{6} = [$]_POST\[['][a-z]{22,}[']\];" --exclude={wp-app.php,class-simplepie.php,class-IXR.php,*.js} | awk '{print $1}' | cut -d':' -f1 | sort | uniq
#1651594939
find . -type f -name '*.php' -o -name '*.ico' | xargs egrep -sri "shell|Obfuscator|edoced_46esab|WSO|FilesMan|ALREADY_RUN|preg_replace|strtolower|strtoupper|str_replace|$GLOBALS|Array|$V0mRd|die\(PHP_OS.chr" | egrep -rsi "FilesMan|shellbox123|[$]ua5T4A|x76al|[$]affdom|eval[(][$]_POST|eval[/][*]|eval\(base64_decode\(|eval\(\(base64_decode\(|eval\(gzinflate\(str_rot13\(base64_decode|[$]www=|$_F=__FILE__|compress\(|=urldecode\(|strrev\(|h10ac592|system\($_POST\[" | awk -F ':' '{print $1}' | uniq
#1651594942
clear
#1651594943
ls -la
#1651594947
cd .well-known/
#1651594948
ls -la
#1651594950
cd acme-challenge/
#1651594951
ls -la
#1651594952
cd ..
#1651594954
cd pki-validation/
#1651594954
ls -la
#1651594955
cd ..
#1651594958
ls -la
#1651594961
cd cgi-bin/
#1651594962
ls -la
#1651594963
cd ..
#1651594965
cd images/
#1651594965
ls -la
#1651594967
cd ..
#1651594971
less postinfo.html 
#1651594976
cd ..
#1651594978
ls -la
#1651595040
cd public_ftp/
#1651595041
ls -la
#1651595045
less .ftpquota 
#1651595048
cat .ftpquota 
#1651595051
cd incoming/
#1651595052
ls -la
#1651595053
cd ..
#1651595055
less .trash/
#1651595061
cd var/
#1651595063
ls -la
#1651595065
cd cpanel/
#1651595066
ls -la
#1651595068
cd styled/
#1651595069
ls -la
#1651595073
cat current_style/
#1651596407
ls -la
#1651596409
cd ..
#1651596409
ls -la
#1651596411
cd ~
#1651596412
ls -la
#1651596425
find ~/public_html/ -type f -ctime -7 -name '*.php'
#1651596431
find ~/public_html/ -type f -ctime -30 -name '*.php'
#1651596435
find ~/public_html/ -type f -ctime -80 -name '*.php'
#1651596483
find . -type f \( -iname \*.php -o -iname \*.sh -o -iname \*.pl -o -iname \*.ico \) | xargs egrep -sri "for\([$]i=0[;] [$]i < strlen\([$]|[$][A-Za-z0-9]{9}=\"base\" \. \"64_decode\";return [$][A-Za-z0-9]{9}\([$]|\.gzuncompress\(base64\_decode\(|[$]wp_auth_key=[']|if\(preg_match_all\([']\/[\][$]tmpcontent = @file_get_contents[\]\(|wp_temp_setupx\(|[$][a-z]{6} = [$]_POST\[['][a-z]{22,}[']\];|} elseif \(\([$]perms & 0xA000\) == 0xA000\) {|<title>{keyword}</title>|unset\([$]{[$]heakhtkd}|[$][A-Za-z0-9]{11} = chr\([0-9]{3,}\^[0-9]{3,}\)\.chr\([0-9]{3,}\^[0-9]{3,}\)\.chr\([0-9]{3,}\^[0-9]{3,}\)|Mass Deface|[$][a-z0-9A-Z]{11,} = \"[a-z0-9A-Z]{300}|\.pw\/xx\.php\?|WebShell|=[a-z0-9A-Z]{15,}\(['][0-9a-z]{55}|[\]x[0-9]{2}[\]x[0-9]{2}[\]x[0-9]{2}[\]x[0-9]{2}[\]x[0-9]{2}[\]x[0-9]{2}[\]x[0-9]{2}[\]x[0-9]{2}|eval\([$][0-9A-Za-z]{10}|go\.onclasrv\.com\/apu\.php\?|c99madshell|install_code = ['][A-Za-z0-9]{30}|Bypass Shell|gzinflate\(str_rot13|eval\(gzinflate\(base64_decode|eval\(gzuncompress\(base64_decode|x397\\\x2ei\\\x63o|\.pw\/code\.php|chmod \+x doc2|wp-trans\.|phpddos|} elseif \(\([$]perms & 0xA000\) == 0xA000\) {| WSO |Dark Shell|cutMixDDataLPrevE|b374k-shell|[']FilesMan[']|IndoXploit|Web PHP Shell|preg_replace|strtolower|strtoupper|str_replace|[$]GLOBALS|[$]V0mRd|die\(PHP_OS\.chr" | egrep -rsi "for\([$]i=0[;] [$]i < strlen\([$]|\.gzuncompress\(base64\_decode\(|if\(preg_match_all\([']\/[\][$]tmpcontent = @file_get_contents[\]\(| WSO |cutMixDDataLPrevE|b374k-shell|Web PHP Shell|shellbox123|<title>{keyword}</title>|\)\{eval|[$]affdom|eval[(][$]_POST|eval[/][*]|eval\(base64_decode\(|eval\(\(base64_decode\(|Dark Shell|[$]www=|=explode\(chr\(|IndoXploit|[']FilesMan[']|phpddos|wp-trans\.|WebShell|c99madshell|Bypass Shell|[$]install_code|chmod \+x doc2|[$][A-Za-z0-9]{9}=\"base\" \. \"64_decode\";return [$][A-Za-z0-9]{9}\([$]|[$]wp_auth_key=[']|\.pw\/code\.php|x397\\\x2ei\\\x63o|eval\(gzinflate\(|eval\(gzuncompress\(base64_decode|@[$]GLOBALS\[[$]GLOBALS\[['][a-zA-Z0-9]{7,}[']\]\[[0-9]{2,}\]\.[$]GLOBALS\[|gzinflate\(str_rot13|eval \(gzinflate\(base64_decode|onclasrv\.com|freegeoip\.net|broin\.top|eval\(eval\(|=[a-z0-9]{15}\(['][0-9a-z]{55}|\.pw\/xx\.php\?|[$][a-z0-9A-Z]{11,} = \"[a-z0-9A-Z]{300}|Mass Deface|unset\([$]{[$]heakhtkd}|wp_temp_setupx\(|[$][A-Za-z0-9]{11} = chr\([0-9]{3,}\^[0-9]{3,}\)\.chr\([0-9]{3,}\^[0-9]{3,}\)\.chr\([0-9]{3,}\^[0-9]{3,}\)|[$][a-z]{6} = [$]_POST\[['][a-z]{22,}[']\];" --exclude={wp-app.php,class-simplepie.php,class-IXR.php,*.js} | awk '{print $1}' | cut -d':' -f1 | sort | uniq
