File: //tmp/scan_shfava.sh
#!/bin/bash
echo "=== shfava.com 恶意文件扫描 ==="
echo ""
echo "【1. Webshell 文件】"
ls -lh /www/wwwroot/shfava.com/admin-*.php 2>/dev/null
ls -lh /www/wwwroot/shfava.com/cc3933/index.php 2>/dev/null
echo ""
echo "【2. 根目录可疑 PHP 文件】"
ls -lh /www/wwwroot/shfava.com/*.php | grep -v 'wp-' | grep -v 'index.php' | head -20
echo ""
echo "【3. 恶意目录统计】"
echo "wp-includes 恶意目录: $(find /www/wwwroot/shfava.com/wp-includes -type d -name '*[0-9a-f][0-9a-f][0-9a-f][0-9a-f]*' 2>/dev/null | wc -l)"
echo "wp-content 恶意目录: $(find /www/wwwroot/shfava.com/wp-content -type d -name '*[0-9a-f][0-9a-f][0-9a-f][0-9a-f]*' 2>/dev/null | wc -l)"
echo ""
echo "【4. .htaccess 文件统计】"
find /www/wwwroot/shfava.com -name '.htaccess' -type f 2>/dev/null | wc -l
echo ""
echo "【5. 检查 wp-config.php】"
grep -E 'eval|base64_decode|system|shell_exec' /www/wwwroot/shfava.com/wp-config.php 2>/dev/null || echo "wp-config.php 看起来正常"