#!/usr/bin/env bash
# wp-scan-suspicious.sh, scan a WordPress installation for files containing obfuscation
# patterns commonly used by PHP malware. Reports candidates only; does not delete.
# Source: https://techearl.com/wordpress-malware-removal
# Site:   https://techearl.com/
# Cross-platform: works on Linux (Debian/RHEL/Alpine) and macOS (BSD tools).

set -e
WP_ROOT="${1:-/var/www/html}"

# Patterns ranked by their malware-correlation strength. Pattern alone is not
# proof; a caching plugin can legitimately use base64_decode. Inspect each hit.
PATTERNS=(
  'eval\(base64_decode'
  'eval\(gzinflate'
  'eval\(str_rot13'
  'eval\(\$_(GET|POST|REQUEST|COOKIE|SERVER)'
  'assert\(\$_(GET|POST|REQUEST|COOKIE)'
  'preg_replace.*/e'
  'system\(\$_(GET|POST|REQUEST|COOKIE)'
  'shell_exec\(\$_(GET|POST|REQUEST|COOKIE)'
  'FilesMan'
  'WSO Web Shell'
  'c99shell'
  'r57shell'
  '@\$_\[?[A-Z_]+\]?[ ]*=[ ]*[\x22'"'"']'
)

echo "Scanning $WP_ROOT for suspicious patterns..."
echo "========================================================"

for p in "${PATTERNS[@]}"; do
  echo
  echo "--- Pattern: $p ---"
  grep -rlE "$p" "$WP_ROOT" \
    --include='*.php' \
    --include='*.phtml' \
    --include='*.phps' \
    --exclude-dir='node_modules' \
    2>/dev/null || echo "  (none)"
done

echo
echo "========================================================"
echo "Done. Review each file before deleting."
echo "Core WordPress files (wp-admin/, wp-includes/, wp-login.php, etc.)"
echo "should be replaced from a fresh download, not edited."