new scan changes

patterns/base64.txt

@@ -0,0 +1,11 @@
+PCT4BA6ODSE_
+_GET[base64_decode(
+eval(gzinflate(base64_decode(
+eval(gzinflate(str_rot13(
+=Array(base64_decode(
+eval(gzinflate(str_rot13(base64_decode(
+eval(gzuncompress(base64_decode(
+eval(gzuncompress(str_rot13(base64_decode(
+eval(gzuncompress(base64_decode(str_rot13(
+eval(str_rot13(gzinflate(base64_decode(
+    

patterns/mailing.txt

@@ -0,0 +1,3 @@
+@base64_decode($email);
+X-Mailer: Microsoft Office Outlook
+Da Slake PHP MAILER

patterns/shells.txt

@@ -0,0 +1,2 @@
+r57Shell Edited By Margu
+ONBOOMSHELL V 0.2

scan.sh

@@ -16,28 +16,30 @@ base64 = "patterns/base64.txt"
 mailing = "patterns/mailing.txt"
 polymorphic = "patterns/polymorphic.txt"
 crypto = "patterns/crypto.txt"
+shells = "patterns/shells.txt"
+misc = "patterns/misc.txt"
 
 # Scanning for Phishing
 for i in $(cat $phishing) 
 	do
-		grep -Rl -e $i --include=*.{php,phtml,js,html,suspected}* /home/$user/public_html
+		grep -Rle $i --include=*.{php,phtml,js,html,suspected}* /home/$user/public_html
 	done
 
 
 # Scanning for base64
 for i in $(cat $base64) 
 	do
-		grep -Rl -e $i /home/$user/public_html
+		grep -Rle $i --include=*.{php,phtml,js,html,suspected}* /home/$user/public_html
 	done
 
 # Scanning for Mailing Scripts
 for i in $(cat $mailing) 
 	do
-		grep -Rl -e $i /home/$user/public_html
+		grep -Rle $i --include=*.{php,phtml}* /home/$user/public_html
 	done
 
 # Scanning for CryptoCurrency Miners
 for i in $(cat $crypto) 
 	do
-		grep -Rl -e $i /home/$user/public_html
+		grep -Rle $i /home/$user/public_html
 	done