#!/bin/bash
#                                                          +----+----+----+----+
#                                                          |    |    |    |    |
# Author: Mark David Scott Cunningham                      | M  | D  | S  | C  |
#                                                          +----+----+----+----+
# Created: 2017-12-24
# Updated: 2017-12-24
#
# Purpose: To scan for files injected with coinhive content and coinhive .js files
#          Based on work by Brian Laskowski, intended to assist Brian.

# Define the scan function
coinhivescan(){
  # Use the positional parameter to define directory location, and build list
  dirlist=$(find $1 -maxdepth 0 -type d -print)
  coiners=$(curl -s https://raw.githubusercontent.com/Hestat/minerchk/master/coinhive.txt)

  # Loop through list of directories
  for account in $dirlist; do
    echo "Scanning :: $account"

    # Build filelist per user/site directory, and search files in the filelist for coinhive
    find $account -type f -name '*.php' -print0 | xargs -0 egrep -Hw "$coiners" 2>/dev/null

    # Search for any actual .js files
    find $account -name coinhive.min.js 2> /dev/null

  done; echo
  }


# Check for common control panels / configurations
if [[ -x $(which whmapi1) ]]; then #cPanel
  printf "cPanel detected\n"
  coinhivescan "/home*/*/public_html/"

elif [[ -x $(which plesk) ]]; then #Plesk
  printf "Plesk detected\n"
  coinhivescan "/var/www/vhosts/*/httpdocs/"

else #Core-Managed
  printf "Unknown control panel, assuming Apache defaults\n"
  coinhivescan "/var/www/html/"

fi