Your IP : 216.73.216.103
| Current Path : /home2/thez9429/ |
|
|
| Current File: /home2/thez9429/.bash_history |
#1768330312
to
#1768330313
top
#1773318779
ls ~/dipro1348171.sql
#1773318823
mysql -u dipro1348171 -p dipro1348171 < /home2/thez9429/dipro1348171.sql
#1773319061
mysql -u thez9429_diprotec -p thez9429_diprotec -e "DROP DATABASE thez9429_diprotec; CREATE DATABASE thez9429_diprotec;"
#1773319326
clear
#1773319330
mysql -u thez9429_diprotec -p thez9429_diprotec < /home2/thez9429/dipro1348171.sql
#1773319877
mysql -u thez9429_diprotec -p thez9429_diprotec -e "SHOW TABLES;"
#1773320023
mysql -u thez9429_diprotec -p thez9429_diprotec -e "SELECT option_name, option_value FROM wp_options WHERE option_name IN ('siteurl','home');"
#1773320092
ls /home2/thez9429/public_html/
#1773320125
ls /home2/thez9429/
#1773320181
ls /home2/thez9429/diprotecsn.com/
#1773320219
grep "DB_HOST\|DB_NAME\|DB_USER\|table_prefix" /home2/thez9429/diprotecsn.com/wp-config.php
#1773320251
cat /home2/thez9429/diprotecsn.com/.htaccess
#1773320298
sed -i "s/define('WP_DEBUG', false)/define('WP_DEBUG', true)/" /home2/thez9429/diprotecsn.com/wp-config.php
#1773320428
sed -i "s/define('DB_PASSWORD', 'Dipro@26')/define('DB_PASSWORD', 'rV~h]Ai+oGO}')/" /home2/thez9429/diprotecsn.com/wp-config.php
#1773320439
grep "DB_PASSWORD" /home2/thez9429/diprotecsn.com/wp-config.php
#1773320523
tail -50 /home2/thez9429/diprotecsn.com/error_log
#1773320530
clear
#1773320534
tail -50 /home2/thez9429/diprotecsn.com/error_log
#1773321699
echo 'AddHandler application/x-httpd-php74 .php' >> /home2/thez9429/diprotecsn.com/.htaccess
#1773321733
clear
#1773321737
tail -5 /home2/thez9429/diprotecsn.com/error_log
#1773321903
sed -n '205,212p' /home2/thez9429/diprotecsn.com/wp-content/themes/Diprotec/functions.php
#1773321933
sed -i "s/add_action('admin_init', create_function(false,\"remove_action('admin_notices', 'update_nag', 3);\"));/add_action('admin_init', function(){ remove_action('admin_notices', 'update_nag', 3); });/" /home2/thez9429/diprotecsn.com/wp-content/themes/Diprotec/functions.php
#1773321940
sed -n '205,212p' /home2/thez9429/diprotecsn.com/wp-content/themes/Diprotec/functions.php
#1773321994
clear
#1773321997
tail -5 /home2/thez9429/diprotecsn.com/error_log
#1773322030
mv /home2/thez9429/diprotecsn.com/wp-content/plugins /home2/thez9429/diprotecsn.com/wp-content/plugins_disabled
#1773322075
mv /home2/thez9429/diprotecsn.com/wp-content/plugins_disabled /home2/thez9429/diprotecsn.com/wp-content/plugins
#1773322083
mv /home2/thez9429/diprotecsn.com/wp-content/plugins/js_composer /home2/thez9429/diprotecsn.com/wp-content/plugins_js_composer_disabled
#1773322145
cat > /home2/thez9429/diprotecsn.com/.htaccess << 'EOF'
AddHandler application/x-httpd-php74 .php
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
EOF
#1773322334
cat > /home2/thez9429/diprotecsn.com/.htaccess << 'EOF'
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
EOF
#1773322357
*ls /opt/alt/php*/bin/php 2>/dev/null | head -10
#1773322388
cat /home2/thez9429/.htaccess
#1773322420
find /home2/thez9429/diprotecsn.com -name ".user.ini" 2>/dev/null
#1773322441
php -v
#1773322475
echo 'engine = On' > /home2/thez9429/diprotecsn.com/.user.ini
#1773322519
mv /home2/thez9429/diprotecsn.com/wp-content/plugins_js_composer_disabled /home2/thez9429/diprotecsn.com/wp-content/plugins/js_composer
#1773322555
tail -3 /home2/thez9429/diprotecsn.com/error_log
#1773322562
clear
#1773322565
tail -3 /home2/thez9429/diprotecsn.com/error_log
#1773322609
sed -n '670,676p' /home2/thez9429/diprotecsn.com/wp-content/plugins/js_composer/include/classes/editors/class-vc-frontend-editor.php
#1773322629
sed -i "s/\$host = isset( \$s\['HTTP_X_FORWARDED_HOST'\] ) ? \$s\['HTTP_X_FORWARDED_HOST'\] : isset( \$s\['HTTP_HOST'\] ) ? \$s\['HTTP_HOST'\] : \$s\['SERVER_NAME'\]/\$host = isset( \$s['HTTP_X_FORWARDED_HOST'] ) ? \$s['HTTP_X_FORWARDED_HOST'] : ( isset( \$s['HTTP_HOST'] ) ? \$s['HTTP_HOST'] : \$s['SERVER_NAME'] )/" /home2/thez9429/diprotecsn.com/wp-content/plugins/js_composer/include/classes/editors/class-vc-frontend-editor.php
#1773325165
CLEAR
#1773325169
clear
#1773325174
tail -3 /home2/thez9429/public_html/error_log
#1773325228
clear
#1773325231
tail -5 /home2/thez9429/miroirlab.com/error_log
#1778792053
ls
#1778792058
cd kanysboutique.com/
#1778792061
ls
#1778792153
# Date/heure de modification récente des fichiers PHP (derniers 7 jours)
#1778792155
find . -name "*.php" -newer index.php -mtime -7 | head -30
#1778792168
# Fichiers PHP suspects hors structure WordPress normale
#1778792169
find . -name "*.php" -not -path "./wp-includes/*" -not -path "./wp-admin/*" -mtime -30 | head -40
#1778792176
# Chercher les backdoors classiques dans les PHP
#1778792177
grep -rl "eval(base64_decode" . --include="*.php" | head -20
#1778792224
# Autres patterns de backdoor courants
#1778792225
grep -rl "system\|exec\|passthru\|shell_exec\|popen\|proc_open" . --include="*.php" | grep -v "wp-includes\|wp-admin" | head -20
#1778792254
# Base64 et obfuscation
#1778792256
grep -rl "base64_decode\|str_rot13\|gzinflate\|gzuncompress\|str_replace.*chr\|preg_replace.*\/e" . --include="*.php" | grep -v "wp-includes\|wp-admin" | head -20
#1778792284
# Fichiers PHP cachés dans uploads (classique)
#1778792285
find ./wp-content/uploads -name "*.php" 2>/dev/null
#1778792319
# Fichiers PHP cachés dans uploads (classique)
#1778792320
find ./wp-content/uploads -name "*.php" 2>/dev/null
#1778792365
cat ./wp-content/uploads/redux/index.php
#1778792406
find . -name "*.php" -newer wp-config.php -mtime -30 | grep -v "wp-content/themes\|wp-content/plugins" | head -20
#1778792428
grep -i "POST" ~/access-logs/kanysboutique.com.log | grep "\.php" | tail -50
#1778792450
find ~/access-logs/ -name "*kany*" 2>/dev/null || ls ~/access-logs/ 2>/dev/null || ls /usr/local/apache/domlogs/ | grep kany
#1778792474
grep -i "POST" ~/access-logs/kanysboutiquecom.thez9429.odns.fr | grep "\.php" | tail -50
#1778792503
grep -i "table_prefix" wp-config.php
#1778792527
mysql -u $(grep DB_USER wp-config.php | grep -o "'[^']*'" | sed -n '2p' | tr -d "'") -p$(grep DB_PASSWORD wp-config.php | grep -o "'[^']*'" | sed -n '2p' | tr -d "'") $(grep DB_NAME wp-config.php | grep -o "'[^']*'" | sed -n '2p' | tr -d "'") -e "SELECT user_login, user_email, user_registered FROM wp7j_users;"
#1778792548
mysql -u $(grep DB_USER wp-config.php | grep -o "'[^']*'" | sed -n '2p' | tr -d "'") -p$(grep DB_PASSWORD wp-config.php | grep -o "'[^']*'" | sed -n '2p' | tr -d "'") $(grep DB_NAME wp-config.php | grep -o "'[^']*'" | sed -n '2p' | tr -d "'") -e "SELECT user_login, meta_value FROM wp7j_usermeta WHERE meta_key='wp7j_capabilities';"
#1778792584
mysql -u $(grep DB_USER wp-config.php | grep -o "'[^']*'" | sed -n '2p' | tr -d "'") -p$(grep DB_PASSWORD wp-config.php | grep -o "'[^']*'" | sed -n '2p' | tr -d "'") $(grep DB_NAME wp-config.php | grep -o "'[^']*'" | sed -n '2p' | tr -d "'") -e "SELECT user_id, meta_value FROM wp7j_usermeta WHERE meta_key='wp7j_capabilities';"
#1778792631
grep -i "POST" ~/access-logs/kanysboutiquecom.thez9429.odns.fr | grep -v "wp-cron\|wp-login" | grep "\.php" | tail -30
#1779132898
ls
#1779132901
cd harmelys.fr/
#1779132904
pwd
#1779132966
find /home2/thez9429/harmelys.fr -name "*.php" -newer /home2/thez9429/harmelys.fr/wp-includes/version.php -ls
#1779133019
# Fichiers clairement malveillants
#1779133019
rm /home2/thez9429/harmelys.fr/wp-includes/Requests/src/Auth/wp-login.php
#1779133019
rm /home2/thez9429/harmelys.fr/wp-admin/wp-httml-02.php
#1779133019
rm /home2/thez9429/harmelys.fr/wp-admin/admin.php
#1779133019
rm /home2/thez9429/harmelys.fr/wp-includes/blocks/comments/radio.php
#1779133019
rm /home2/thez9429/harmelys.fr/wp-content/plugins/webp-express/lib/2index.php
#1779133020
# Restaurer admin.php propre depuis WordPress
#1779133023
curl -o /home2/thez9429/harmelys.fr/wp-admin/admin.php https://raw.githubusercontent.com/WordPress/WordPress/master/wp-admin/admin.php
#1779133032
head -5 /home2/thez9429/harmelys.fr/wp-includes/class-wp.php
#1779133062
cat /home2/thez9429/harmelys.fr/index.php
#1779133064
head -20 /home2/thez9429/harmelys.fr/wp-content/plugins/chaty-pro/cht-icons.php
#1779133090
grep -r "eval(base64" /home2/thez9429/harmelys.fr/wp-content/ --include="*.php" -l
#1779133102
grep -r "base64_decode" /home2/thez9429/harmelys.fr/wp-includes/ --include="*.php" -l
#1779133104
ls -la /home2/thez9429/harmelys.fr/wp-content/mu-plugins/
#1779133166
# Voir les clés actuelles
#1779133168
grep "AUTH_KEY\|SECURE_AUTH_KEY\|LOGGED_IN_KEY" /home2/thez9429/harmelys.fr/wp-config.php
#1779133220
curl -I https://harmelys.fr/wp-admin/