command line to search files with string and save output to file

satimis

Member
Joined
Jul 9, 2021
Messages
53
Reaction score
8
Credits
557
Hi all,

Please advise the command line to search files on ./ containing a string "Deny From All" and save the output to a file (not created in advance)

Thanks

Regards
satimis
 


Code:
grep -iR "Deny From All" /* 2> /dev/null > output.txt
 
Hi,

Thanks for your advice. Please advise what is the function of;
2> /dev/null >

I'll fire the command line on the cPanel Terminal of the hosting company. After finish I have to download the output.txt file.

Regards
 
It sends all the errors you get to /dev/null that way they won't end up in the output.txt file and they won't be displayed to your screen. This way only the output your want gets added to the file, I forgot to add something. It should be this.
Code:
grep -iR "Deny From All" /* 2> /dev/null >> output.txt
 
Last edited:
Hi,

Thanks again.

Please advise what is the function of 2 (the number)?

Regards
 
Yes if you click on the link I linked in my last reply you will see it explained there but in short.
0 stdin Standard input
1 stdout Standard output
2 stderr Standard error
 
Last edited:
Hi,

Ran following command line on cPanel Terminal of my hosting company
grep -iR "Deny From All" /* 2> /dev/null >> denyfromall.txt

Your command line works for me. Thanks again.

However it is a big file
# wc -l denyfromall.txt
11855 denyfromall.txt

I have checked 2 of them
# cat ./public_html/cuisine/wp-content/plugins/all-in-one-wp-migration/.htaccess
<FilesMatch '.(php|php5|suspected|py|phtml)$'>
Order allow,deny
Deny from all

# cat ./public_html/cuisine/wp-content/plugins/all-in-one-wp-migration/lib/.htaccess
<FilesMatch '.(php|php5|suspected|py|phtml)$'>
Order allow,deny
Deny from all

I don't know whether they are malicious .htaccess

Following is a malicous .htaccess here

<FilesMatch '.(php|php5|suspected|py|phtml)$'>
Order allow,deny
Deny from all
</FilesMatch>

I expect to find them on my cPanel.

Regards
 
htaccess files are used by apache so that website owner can configure certain apache settings if the webserver allows those settings to be set. As the ones you posted are used to restrict access from certain directories or files, as well as other things you can configure.
 
Thanks for your advice.

On WordPress site

If
/wp-admin/maint/.htaccess
containing this content

<FilesMatch '.(php|php5|suspected|py|phtml)$'>
Order allow,deny
Deny from all
</FilesMatch>

I can't browse this site on Browser nor login this site. So I need to check this malicious ./htaccess on all my websites listed on cPanel. I have about 40 websites.

Is it possible with a command line to check them? Thanks
 
I would start by going to the website and then checking the apache error log file because when something is denied it will list why in the error log file.
 
It depends on how you have your websites configured, you can configure it so that each website has their own log file or you can configure it that they all use the same log file. The first option is easier when having to debug a problem with a website, I have never used cPanel so can't help with you with how it is configured there when setting up a website.
 
Each website has its own error log file. I'll check them one by one.

Lot of thanks for your advice.
 
Hi f33dm3bits

Again.

If I expect searching the files containing following content
<FilesMatch '.(php|php5|suspected|py|phtml)$'>
Order allow,deny
Deny from all
</FilesMatch>


What will be the command line? Thanks

Regards
 
You would need to use a regex with grep in order to find files with exactly those lines, I'm still learning those myself so can't be much of a help with that. However you could just do a search on the first line since it is likely that if such an option is configured somewhere that it is configured for a deny. So try this.
Code:
grep -R '(php|php5|suspected|py|phtml)' /var/ww/html
Changing /var/www/html to the location where your websites are.
 
testing from shell at ~ to look at " /etc/httpd/conf/vhosts" (because i know thats where i have that text math ) can match pattern using :

Code:
[andrew@darkstar:~]$ sudo  grep -R -v  "Order allow,deny\n Deny from all"      /etc/httpd/conf/vhosts                    (07-10 10:01)
/etc/httpd/conf/vhosts/andrinaPerfectBeauty.com:<VirtualHost 127.0.0.2:80>
/etc/httpd/conf/vhosts/andrinaPerfectBeauty.com:    ServerAdmin [email protected]

i didn't worry about files; there is a flag to show files that grep finds match .

so you try maybe something along lines :

Code:
sudo  grep -R -v -l  "Order allow,deny\n Deny from all"       /var/www/html
//last string i.e web root

-l should give you file name

with -l flag i got :

Code:
andrew@darkstar:~]$ sudo  grep -R -v -l  "Order allow,deny\n Deny from all"      /etc/httpd/conf/vhosts
[sudo] password for andrew:
/etc/httpd/conf/vhosts/andrinaPerfectBeauty.com
[andrew@darkstar:~]$                                              (07-10 10:11)
andrinaPerfectBeauty.com is actually a FILE in /etc/httpd/conf/vhosts containing elements specific to that domain

thats my daughters site by the way before someone thinks i'm a cross dresser or something
 
Last edited:
You would need to use a regex with grep in order to find files with exactly those lines, I'm still learning those myself so can't be much of a help with that. However you could just do a search on the first line since it is likely that if such an option is configured somewhere that it is configured for a deny. So try this.
Code:
grep -R '(php|php5|suspected|py|phtml)' /var/ww/html
Changing /var/www/html to the location where your websites are.
Execute following command line;

1)

# grep -R '(php|php5|suspected|py|phtml)' public_html/bible/ 2> /dev/null >> php_php5.txt

2)
# wc -l php_php5.txt
13429 php_php5.txt

13429 files match ????

Example

....
public_html/bible/wp-content/plugins/wordfence/crypto/vendor/.htaccess:<FilesMatch '.(php|php5|suspected|py|phtml)$'>
public_html/bible/wp-content/plugins/wordfence/crypto/.htaccess:<FilesMatch '.(php|php5|suspected|py|phtml)$'>
public_html/bible/wp-content/plugins/wordfence/images/.htaccess:<FilesMatch '.(php|php5|suspected|py|phtml)$'>
public_html/bible/wp-content/plugins/wordfence/images/icons/.htaccess:<FilesMatch '.(php|php5|suspected|py|phtml)$'>
....

# cat public_html/bible/wp-content/plugins/wordfence/crypto/vendor/.htaccess<FilesMatch '.(php|php5|suspected|py|phtml)$'>
Order allow,deny
Deny from all
</FilesMatch>

Anything wrong here? Only One website ?
 
testing from shell at ~ to look at " /etc/httpd/conf/vhosts" (because i know thats where i have that text math ) can match pattern using :

Code:
[andrew@darkstar:~]$ sudo  grep -R -v  "Order allow,deny\n Deny from all"      /etc/httpd/conf/vhosts                    (07-10 10:01)
/etc/httpd/conf/vhosts/andrinaPerfectBeauty.com:<VirtualHost 127.0.0.2:80>
/etc/httpd/conf/vhosts/andrinaPerfectBeauty.com:    ServerAdmin [email protected]

i didn't worry about files; there is a flag to show files that grep finds match .

so you try maybe something along lines :

Code:
sudo  grep -R -v -l  "Order allow,deny\n Deny from all"       /var/www/html
//last string i.e web root

-l should give you file name

with -l flag i got :

Code:
andrew@darkstar:~]$ sudo  grep -R -v -l  "Order allow,deny\n Deny from all"      /etc/httpd/conf/vhosts
[sudo] password for andrew:
/etc/httpd/conf/vhosts/andrinaPerfectBeauty.com
[andrew@darkstar:~]$                                              (07-10 10:11)
andrinaPerfectBeauty.com is actually a FILE in /etc/httpd/conf/vhosts containing elements specific to that domain

thats my daughters site by the way before someone thinks i'm a cross dresser or something
Thanks for your advice.

# grep -R -v -l "Order allow,deny\n Deny from all" public_html/bible/ 2> /dev/null >> order.txt

# wc -l order.txt
5773 order.txt

5773 lines in ONE website ??? Maybe something wrong here.

Example output:
.....
public_html/bible/wp-content/plugins/wordfence/js/admin.liveTraffic.1623076348.js
public_html/bible/wp-content/plugins/wordfence/js/wfdropdown.1620658454.js
public_html/bible/wp-content/plugins/wordfence/js/admin.liveTraffic.1620658454.js
public_html/bible/wp-content/plugins/wordfence/js/jquery.colorbox-min.1620658454.js
public_html/bible/wp-content/plugins/wordfence/js/admin.ajaxWatcher.1620658454.js
public_html/bible/wp-content/plugins/wordfence/js/wfi18n.1620658454.js
public_html/bible/wp-content/plugins/wordfence/js/wfglobal.1620658454.js
......

# cat public_html/bible/wp-content/plugins/wordfence/js/wfglobal.1620658454.js
large output/printout

website
Plugin
-> Add New
Warning
It appears you don't have
permission to access this page.

403 Error. Forbidden.

WordPress site
unable to add new plugin

Regards
 

Members online


Latest posts

Top