#!/bin/bash
PHP=php; command -v php >/dev/null 2>&1 || PHP=/usr/local/php8.1/bin/php
D=$(date +%Y%m%d-%H%M)
mkdir -p ~/.maintenance-logs
LOG=~/.maintenance-logs/recheck-fleet128-$D.txt
exec > >(tee "$LOG") 2>&1
echo "########## RE-CHECK FLEET cluster128 $(date) ##########"
ANOM=0

echo "==== 0. Inventaire ===="
N=0; for f in ~/*/wp-config.php; do [ -f "$f" ] && N=$((N+1)); done
echo "  sites avec wp-config: $N"

echo "==== 1. DB par site : uredik/xshikata / admins hors MREL+aina / email-vide / cache1 / plugins (mysqli) ===="
DBOUT=$($PHP ~/_recheck128.php 2>&1); echo "$DBOUT"
echo "$DBOUT" | grep -qE '!!|A-VERIFIER|DB KO|illisible' && ANOM=1

echo "==== 2. authorized_keys (VECTEUR CLE SSH ATTAQUANT — inspecter chaque cle) ===="
n=$(grep -c . ~/.ssh/authorized_keys 2>/dev/null); echo "  lignes: $n"; awk '{print "   ..."$NF}' ~/.ssh/authorized_keys 2>/dev/null

echo "==== 3. crontab (attendu vide) ===="
cl=$(crontab -l 2>/dev/null | grep -v '^#' | grep .); if [ -n "$cl" ]; then echo "$cl"|sed 's/^/  !! /'; ANOM=1; else echo "  (vide) OK"; fi

echo "==== 4. mu-plugins backdoor (wp-security.php / autres inattendus) ===="
M=0
for f in ~/*/wp-config.php; do s=$(dirname "$f"); d="$s/wp-content/mu-plugins"; [ -d "$d" ] || continue
  for g in $(ls -1 "$d" 2>/dev/null); do
    case "$g" in
      0-worker.php|elementor-safe-mode.php|index.php) ;;
      *) echo "  [$(basename $s)] mu-plugin: $g"; M=1; ANOM=1;;
    esac
  done
done
[ $M -eq 0 ] && echo "  aucun mu-plugin suspect -> OK"

echo "==== 5. faux plugins cache backdoor (cache1.php) ===="
C=0
for f in ~/*/wp-config.php; do s=$(dirname "$f")
  for bad in "wp-content/plugins/Caches/cache1.php" "wp-content/plugins/Cache V5/cache1.php"; do
    [ -e "$s/$bad" ] && { echo "  [$(basename $s)] PRESENT-> $bad"; C=1; ANOM=1; }
  done
done
[ $C -eq 0 ] && echo "  aucun faux plugin cache -> OK"

echo "==== 6. webshells connus a la RACINE des sites ===="
W=0
for f in ~/*/wp-config.php; do s=$(dirname "$f")
  for bad in z.php wp-confings.php wp-server.php wp-mails.php wp-track-back.php user.php license.html; do
    [ -e "$s/$bad" ] && { echo "  [$(basename $s)] PRESENT-> $bad"; W=1; ANOM=1; }
  done
done
[ $W -eq 0 ] && echo "  aucun webshell racine connu -> OK"

echo "==== 7. planque z.php dans le home cache (~/.ssh ~/.local ~/.config ~/.cache ~/tmp) ===="
S=0
for d in ~/.ssh ~/.local ~/.config ~/.cache ~/tmp; do
  [ -d "$d" ] || continue
  r=$(find -L "$d" -maxdepth 3 -name 'z.php' 2>/dev/null)
  [ -n "$r" ] && { echo "$r"|sed 's/^/  PRESENT-> /'; S=1; ANOM=1; }
done
[ $S -eq 0 ] && echo "  aucun z.php planque -> OK"

echo "==== 8. reinjection wp-config (linksparagon / __LPK_IN__ / _ea_wc) ===="
I=0
for f in ~/*/wp-config.php; do
  r=$(grep -lE "linksparagon|__LPK_IN__|_ea_wc|_EA_WC_" "$f" 2>/dev/null)
  [ -n "$r" ] && { echo "  ENCORE-> $r"; I=1; ANOM=1; }
done
[ $I -eq 0 ] && echo "  aucune injection wp-config -> OK"

echo "==== 9. doorway/cloaking dans index.php racine (signature + taille) ===="
X=0
for f in ~/*/wp-config.php; do s=$(dirname "$f"); idx="$s/index.php"; [ -f "$idx" ] || continue
  if grep -lqE "isGoogleUserAgent|is_spider|69\.30\.227\.34|readfile.*license|__halt_compiler" "$idx" 2>/dev/null; then
    echo "  [$(basename $s)] DOORWAY-SIGNATURE-> $idx"; X=1; ANOM=1
  else
    sz=$(wc -c < "$idx" 2>/dev/null)
    [ "$sz" -gt 450 ] 2>/dev/null && echo "  [$(basename $s)] index.php volumineux ($sz o) -> a inspecter"
  fi
done
[ $X -eq 0 ] && echo "  aucune signature doorway index.php -> OK"

echo "==== 10. durcissement en place (uploads/.htaccess anti-PHP) ===="
ok=0; ko=0
for f in ~/*/wp-config.php; do s=$(dirname "$f")
  h="$s/wp-content/uploads/.htaccess"
  if [ -f "$h" ] && grep -qiE "Require all denied|Deny from all" "$h" 2>/dev/null; then ok=$((ok+1)); else ko=$((ko+1)); fi
done
echo "  uploads/.htaccess anti-PHP: OK=$ok  MANQUANT=$ko"

echo "==== 11. faux plugins SEO-Booster (hseo* / wp-helper-*) ===="
H=0
for f in ~/*/wp-config.php; do s=$(dirname "$f"); pd="$s/wp-content/plugins"; [ -d "$pd" ] || continue
  for g in $(ls -1 "$pd" 2>/dev/null | grep -iE '^hseo|^wp-helper'); do echo "  [$(basename $s)] SEO-BOOSTER-> $g"; H=1; ANOM=1; done
done
[ $H -eq 0 ] && echo "  aucun plugin SEO-Booster -> OK"

echo "==== VERDICT ===="
[ $ANOM -eq 0 ] && echo "  >>> PROPRE : aucune anomalie de re-infection detectee <<<" || echo "  >>> ANOMALIE(S) DETECTEE(S) — voir lignes !! / A-VERIFIER / PRESENT-> / ENCORE-> / DOORWAY-> / SEO-BOOSTER-> <<<"
echo "########## FIN $(date) — log: $LOG ##########"
