command line to search files with string and save output to file

satimis

Member
Credits
557
Hi all,

Please advise the command line to search files on ./ containing a string "Deny From All" and save the output to a file (not created in advance)

Thanks

Regards
satimis
 


f33dm3bits

Gold Member
Gold Supporter
Credits
24,603
Code:
grep -iR "Deny From All" /* 2> /dev/null > output.txt
 

satimis

Member
Credits
557
Hi,

Thanks for your advice. Please advise what is the function of;
2> /dev/null >

I'll fire the command line on the cPanel Terminal of the hosting company. After finish I have to download the output.txt file.

Regards
 

f33dm3bits

Gold Member
Gold Supporter
Credits
24,603
It sends all the errors you get to /dev/null that way they won't end up in the output.txt file and they won't be displayed to your screen. This way only the output your want gets added to the file, I forgot to add something. It should be this.
Code:
grep -iR "Deny From All" /* 2> /dev/null >> output.txt
 
Last edited:

f33dm3bits

Gold Member
Gold Supporter
Credits
24,603
Yes if you click on the link I linked in my last reply you will see it explained there but in short.
0 stdin Standard input
1 stdout Standard output
2 stderr Standard error
 
Last edited:

satimis

Member
Credits
557
Hi,

Ran following command line on cPanel Terminal of my hosting company
grep -iR "Deny From All" /* 2> /dev/null >> denyfromall.txt

Your command line works for me. Thanks again.

However it is a big file
# wc -l denyfromall.txt
11855 denyfromall.txt

I have checked 2 of them
# cat ./public_html/cuisine/wp-content/plugins/all-in-one-wp-migration/.htaccess
<FilesMatch '.(php|php5|suspected|py|phtml)$'>
Order allow,deny
Deny from all

# cat ./public_html/cuisine/wp-content/plugins/all-in-one-wp-migration/lib/.htaccess
<FilesMatch '.(php|php5|suspected|py|phtml)$'>
Order allow,deny
Deny from all

I don't know whether they are malicious .htaccess

Following is a malicous .htaccess here

<FilesMatch '.(php|php5|suspected|py|phtml)$'>
Order allow,deny
Deny from all
</FilesMatch>

I expect to find them on my cPanel.

Regards
 

f33dm3bits

Gold Member
Gold Supporter
Credits
24,603
htaccess files are used by apache so that website owner can configure certain apache settings if the webserver allows those settings to be set. As the ones you posted are used to restrict access from certain directories or files, as well as other things you can configure.
 

satimis

Member
Credits
557
Thanks for your advice.

On WordPress site

If
/wp-admin/maint/.htaccess
containing this content

<FilesMatch '.(php|php5|suspected|py|phtml)$'>
Order allow,deny
Deny from all
</FilesMatch>

I can't browse this site on Browser nor login this site. So I need to check this malicious ./htaccess on all my websites listed on cPanel. I have about 40 websites.

Is it possible with a command line to check them? Thanks
 

f33dm3bits

Gold Member
Gold Supporter
Credits
24,603
I would start by going to the website and then checking the apache error log file because when something is denied it will list why in the error log file.
 

f33dm3bits

Gold Member
Gold Supporter
Credits
24,603
It depends on how you have your websites configured, you can configure it so that each website has their own log file or you can configure it that they all use the same log file. The first option is easier when having to debug a problem with a website, I have never used cPanel so can't help with you with how it is configured there when setting up a website.
 

satimis

Member
Credits
557
Hi f33dm3bits

Again.

If I expect searching the files containing following content
<FilesMatch '.(php|php5|suspected|py|phtml)$'>
Order allow,deny
Deny from all
</FilesMatch>


What will be the command line? Thanks

Regards
 

f33dm3bits

Gold Member
Gold Supporter
Credits
24,603
You would need to use a regex with grep in order to find files with exactly those lines, I'm still learning those myself so can't be much of a help with that. However you could just do a search on the first line since it is likely that if such an option is configured somewhere that it is configured for a deny. So try this.
Code:
grep -R '(php|php5|suspected|py|phtml)' /var/ww/html
Changing /var/www/html to the location where your websites are.
 

captain-sensible

Well-Known Member
Credits
14,330
testing from shell at ~ to look at " /etc/httpd/conf/vhosts" (because i know thats where i have that text math ) can match pattern using :

Code:
[[email protected]:~]$ sudo  grep -R -v  "Order allow,deny\n Deny from all"      /etc/httpd/conf/vhosts                    (07-10 10:01)
/etc/httpd/conf/vhosts/andrinaPerfectBeauty.com:<VirtualHost 127.0.0.2:80>
/etc/httpd/conf/vhosts/andrinaPerfectBeauty.com:    ServerAdmin [email protected]
i didn't worry about files; there is a flag to show files that grep finds match .

so you try maybe something along lines :

Code:
sudo  grep -R -v -l  "Order allow,deny\n Deny from all"       /var/www/html
//last string i.e web root
-l should give you file name

with -l flag i got :

Code:
[email protected]:~]$ sudo  grep -R -v -l  "Order allow,deny\n Deny from all"      /etc/httpd/conf/vhosts
[sudo] password for andrew:
/etc/httpd/conf/vhosts/andrinaPerfectBeauty.com
[[email protected]:~]$                                              (07-10 10:11)
andrinaPerfectBeauty.com is actually a FILE in /etc/httpd/conf/vhosts containing elements specific to that domain

thats my daughters site by the way before someone thinks i'm a cross dresser or something
 
Last edited:

satimis

Member
Credits
557
You would need to use a regex with grep in order to find files with exactly those lines, I'm still learning those myself so can't be much of a help with that. However you could just do a search on the first line since it is likely that if such an option is configured somewhere that it is configured for a deny. So try this.
Code:
grep -R '(php|php5|suspected|py|phtml)' /var/ww/html
Changing /var/www/html to the location where your websites are.
Execute following command line;

1)

# grep -R '(php|php5|suspected|py|phtml)' public_html/bible/ 2> /dev/null >> php_php5.txt

2)
# wc -l php_php5.txt
13429 php_php5.txt

13429 files match ????

Example

....
public_html/bible/wp-content/plugins/wordfence/crypto/vendor/.htaccess:<FilesMatch '.(php|php5|suspected|py|phtml)$'>
public_html/bible/wp-content/plugins/wordfence/crypto/.htaccess:<FilesMatch '.(php|php5|suspected|py|phtml)$'>
public_html/bible/wp-content/plugins/wordfence/images/.htaccess:<FilesMatch '.(php|php5|suspected|py|phtml)$'>
public_html/bible/wp-content/plugins/wordfence/images/icons/.htaccess:<FilesMatch '.(php|php5|suspected|py|phtml)$'>
....

# cat public_html/bible/wp-content/plugins/wordfence/crypto/vendor/.htaccess<FilesMatch '.(php|php5|suspected|py|phtml)$'>
Order allow,deny
Deny from all
</FilesMatch>

Anything wrong here? Only One website ?
 

satimis

Member
Credits
557
testing from shell at ~ to look at " /etc/httpd/conf/vhosts" (because i know thats where i have that text math ) can match pattern using :

Code:
[[email protected]:~]$ sudo  grep -R -v  "Order allow,deny\n Deny from all"      /etc/httpd/conf/vhosts                    (07-10 10:01)
/etc/httpd/conf/vhosts/andrinaPerfectBeauty.com:<VirtualHost 127.0.0.2:80>
/etc/httpd/conf/vhosts/andrinaPerfectBeauty.com:    ServerAdmin [email protected]
i didn't worry about files; there is a flag to show files that grep finds match .

so you try maybe something along lines :

Code:
sudo  grep -R -v -l  "Order allow,deny\n Deny from all"       /var/www/html
//last string i.e web root
-l should give you file name

with -l flag i got :

Code:
[email protected]:~]$ sudo  grep -R -v -l  "Order allow,deny\n Deny from all"      /etc/httpd/conf/vhosts
[sudo] password for andrew:
/etc/httpd/conf/vhosts/andrinaPerfectBeauty.com
[[email protected]:~]$                                              (07-10 10:11)
andrinaPerfectBeauty.com is actually a FILE in /etc/httpd/conf/vhosts containing elements specific to that domain

thats my daughters site by the way before someone thinks i'm a cross dresser or something
Thanks for your advice.

# grep -R -v -l "Order allow,deny\n Deny from all" public_html/bible/ 2> /dev/null >> order.txt

# wc -l order.txt
5773 order.txt

5773 lines in ONE website ??? Maybe something wrong here.

Example output:
.....
public_html/bible/wp-content/plugins/wordfence/js/admin.liveTraffic.1623076348.js
public_html/bible/wp-content/plugins/wordfence/js/wfdropdown.1620658454.js
public_html/bible/wp-content/plugins/wordfence/js/admin.liveTraffic.1620658454.js
public_html/bible/wp-content/plugins/wordfence/js/jquery.colorbox-min.1620658454.js
public_html/bible/wp-content/plugins/wordfence/js/admin.ajaxWatcher.1620658454.js
public_html/bible/wp-content/plugins/wordfence/js/wfi18n.1620658454.js
public_html/bible/wp-content/plugins/wordfence/js/wfglobal.1620658454.js
......

# cat public_html/bible/wp-content/plugins/wordfence/js/wfglobal.1620658454.js
large output/printout

website
Plugin
-> Add New
Warning
It appears you don't have
permission to access this page.

403 Error. Forbidden.

WordPress site
unable to add new plugin

Regards
 
$100 Digital Ocean Credit
Get a free VM to test out Linux!


Latest posts

Top