import os
import re

# Folder target (ubah sesuai direktori webmu)
target_dir = "/var/www/html"

# Pola-pola mencurigakan
suspicious_patterns = [
    r"eval\s*\(",
    r"base64_decode\s*\(",
    r"gzinflate\s*\(",
    r"str_rot13\s*\(",
    r"shell_exec\s*\(",
    r"system\s*\(",
    r"exec\s*\(",
    r"passthru\s*\(",
    r"popen\s*\(",
    r"proc_open\s*\(",
    r"preg_replace\s*\(.*e.*",
    r"curl_exec\s*\(",
    r"file_get_contents\s*\(['\"]http"
]

regex_patterns = [re.compile(p) for p in suspicious_patterns]

for root, dirs, files in os.walk(target_dir):
    for fname in files:
        if fname.endswith(".php"):
            fpath = os.path.join(root, fname)
            try:
                with open(fpath, "r", errors="ignore") as f:
                    content = f.read()
                    for pattern in regex_patterns:
                        if pattern.search(content):
                            print(f"[!] Suspicious code in: {fpath} | Pattern: {pattern.pattern}")
            except Exception as e:
                print(f"[x] Error reading {fpath}: {e}")