Code:
#!/usr/bin/awk -f
#
#
# version 1: Counters added to show count of matches at the end.
# 1.2: changed and displayed the resulting match at the end of every line. Added color code to string matched,
BEGIN { FS="\""; SHOWLOG=1; IGNORECASE=1; CurlynumberNF=0; azAZ09NF=0; UnameNF=0; ExprNF=0; WgetNF=0; DecodeNF=0; EvalNF=0; Base64NF=0; azAZ09NF=0; DisconnectNF=0; ConnectNF=0; FunctionNF=0; ExitNF=0; DocRootNF=0; chrNF=0; DelayNF=0; WaitforNF=0; PrintNF=0; CgiBinNF=0; PasswdNF=0; BinShNF=0; PerlNF=0; BashNF=0; SelectNF=0; zhCNNF=0; WordPress=0; WpCron=0; WpAdmin=0; CgiBin=0; Passwd=0; WpLogin=0; Echo2=0; Eval2=0; Base64=0; DOCROOT=0; SetTimeLimit=0; SetMagicQuotes=0; FilePutContent=0; Magento=0; PhpAdmin=0; PhpMyAdmin=0; FCKEditor=0; System2=0; Sqlite=0; SQLManager=0; WebEdit=0; WpContent=0; WebSQL=0; MySQLDumper=0; webdb=0; WebConsole=0; Digit200=0; azAZ300=0; WebManage=0; }
$2 ~ /webmanage/ { WebManage++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t[0-9]{100} !200" }; printf("%s\t\033[1;32m%s\033[0m\t\t%s\n",a[2],$2,$(NF-1)); }
$2 ~ /[a-zA-Z_-]{300,}/ && $3 !~ /200/ { azAZ300++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t[0-9]{100} !200" }; printf("%s\t\033[1;32m%s\033[0m\t\t%s\n",a[2],$2,$(NF-1)); }
$2 ~ /[0-9]{200,}/ && $3 !~ /200/ { Digit200++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t[0-9]{100} !200" }; printf("%s\t\033[1;32m%s\033[0m\t\t%s\n",a[2],$2,$(NF-1)); }
$2 ~ /web-console/ { WebConsole++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mweb-console\033[0m" }; printf("%s\t\033[1;32m%s\033[0m\t%s\n",a[2],$2,$(NF-1)); }
$2 ~ /webdb/ { webdb++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mwebdb\033[0m" }; printf("%s\t\033[1;32m%s\033[0m\t%s\n",a[2],$2,$(NF-1)); }
$2 ~ /mysqldumper/ { MySQLDumper++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mmysqldumper\033[0m" }; printf("%s\t\033[1;32m%s\033[0m\t%s\n",a[2],$2,$(NF-1)); }
$2 ~ /websql/ { WebSQL++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mwebsql\033[0m" }; printf("%s\t\033[1;32m%s\033[0m\t%s\n",a[2],$2,$(NF-1)); }
$2 ~ /wp-content/ { WpContent++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mwp-content\033[0m" }; printf("%s\t\033[1;32m%s\033[0m\t%s\n",a[2],$2,$(NF-1)); }
$2 ~ /webedit/ { WebEdit++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mwebedit\033[0m" }; printf("%s\t\033[1;32m%s\033[0m\t%s\n",a[2],$2,$(NF-1)); }
$2 ~ /sqlmanager/ { SQLManager++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31msqlmanager\033[0m" }; printf("%s\t\033[1;32m%s\033[0m\t%s\n",a[2],$2,$(NF-1)); }
$2 ~ /sqlite/ { Sqlite++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31msqlite\033[0m" }; printf("%s\t\033[1;32m%s\033[0m\t%s\n",a[2],$2,$(NF-1)); }
$2 ~ /system/ { System2++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31msystem\033[0m" }; printf("%s\t\033[1;32m%s\033[0m\t%s\n",a[2],$2,$(NF-1)); }
$2 ~ /fckeditor/ { FCKEditor++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mfckeditor\033[0m" }; printf("%s\t\033[1;32m%s\033[0m\t%s\n",a[2],$2,$(NF-1)); }
$2 ~ /phpmyadmin/ { PhpMyAdmin++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mphpmyadmin\033[0m" }; printf("%s\t\033[1;32m%s\033[0m\t%s\n",a[2],$2,$(NF-1)); }
$2 ~ /phpadmin/ { PhpAdmin++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mphpadmin\033[0m" }; printf("%s\t\033[1;32m%s\033[0m\t%s\n",a[2],$2,$(NF-1)); }
$2 ~ /magento/ { Magento++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mmagento\033[0m" }; printf("%s\t\033[1;32m%s\033[0m\t%s\n",a[2],$2,$(NF-1)); }
$2 ~ /"file_put_content"/ { FilePutContent++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mFilePutContent\033[0m" }; printf("%s\t\033[1;32m%s\033[0m\t%s\n",a[2],$2,$(NF-1)); }
$2 ~ /"set_magic_quotes"/ { SetMagicQuotes++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mSetMagicQuotes\033[0m" }; printf("%s\t\033[1;32m%s\033[0m\t%s\n",a[2],$2,$(NF-1)); }
$2 ~ /"set_time_limit"/ { SetTimeLimit++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mSetTimeLimit\033[0m" }; printf("%s\t\033[1;32m%s\033[0m\t%s\n",a[2],$2,$(NF-1)); }
$2 ~ /"DOCUMENT_ROOT"/ { DOCROOT++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mDOCROOT\033[0m" }; printf("%s\t\033[1;32m%s\033[0m\t%s\n",a[2],$2,$(NF-1)); }
$2 ~ /"base64"/ { Base64++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mbase64\033[0m" }; printf("%s\t\033[1;32m%s\033[0m\t%s\n",a[2],$2,$(NF-1)); }
$2 ~ /"eval"/ { Eval2++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31meval\033[0m" }; printf("%s\t\033[1;32m%s\033[0m\t%s\n",a[2],$2,$(NF-1)); }
$2 ~ /"echo"/ { Echo2++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mecho\033[0m" }; printf("%s\t\033[1;32m%s\033[0m\t%s\n",a[2],$2,$(NF-1)); }
$2 ~ /\/wp-login/ { WpLogin++; split($1,a," "); x[a[2]]++;if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mwp-login\033[0m" }; printf("%s\t\033[1;32m%s\033[0m\t%s\n",a[2],$2,$(NF-1)); }
$2 ~ /passwd/ { Passwd++; split($1,a," "); x[a[2]]++;if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mpasswd\033[0m" }; printf("%s\t\033[1;32m%s\033[0m\t%s\n",a[2],$2,$(NF-1)); }
$2 ~ /"cgi-bin"/ { CgiBin++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mcgi-bin\033[0m" }; printf("%s\t\033[1;32m%s\033[0m\t%s\n",a[2],$2,$(NF-1)); }
$2 ~ /"wp-admin"/ { WpAdmin++ ;split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mwp-admin\033[0m" }; printf("%s\t\033[1;32m%s\033[0m\t%s\n",a[2],$2,$(NF-1)); }
$2 ~ /"wp-cron"/ { WpCron++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mwp-cron\033[0m" }; printf("%s\t\033[1;32m%s\033[0m\t%s\n",a[2],$2,$(NF-1)); }
$2 ~ /"wordpress"/ { WordPress++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mwordpress\033[0m" }; printf("%s\t\033[1;32m%s\033[0m\t%s\n",a[2],$2,$(NF-1)); }
$(NF-1) ~ /"zh_CN"/ { zhCNNF++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mBase64_Decode\033[0m" }; printf("%s\t\033[1;32m%s\033[0m\t%s\n",a[2],$2,$(NF-1)); }
( $(NF-1) !~ /Mozilla/ && $(NF-1) ~ /\\x[a-fA-Z0-9]+/ ) { Hexa++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mx[a-z0-9]\033[0m" }; printf("%s\t%s\t\t\033[1;32m%s\033[0m\n",a[2],$2,$(NF-1));}
$(NF-1) ~ /"select"/ { SelectNF++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mselect\033[0m" }; printf("%s\t%s\t\033[1;32m%s\033[0m\n",a[2],$2,$(NF-1));}
$(NF-1) ~ /"bash"/ { BashNF++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mbash\033[0m" }; printf("%s\t%s\t\033[1;32m%s\033[0m\n",a[2],$2,$(NF-1));}
$(NF-1) ~ /"perl"/ { PerlNF++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mperl\033[0m" }; printf("%s\t%s\t\033[1;32m%s\033[0m\n",a[2],$2,$(NF-1));}
$(NF-1) ~ /bin\/sh/ { BinShNF++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mbin/sh\033[0m" }; printf("%s\t%s\t\033[1;32m%s\033[0m\n",a[2],$2,$(NF-1));}
$(NF-1) ~ /"passwd"/ { PasswdNF++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mpasswdNF\033[0m" }; printf("%s\t%s\t\033[1;32m%s\033[0m\n",a[2],$2,$(NF-1));}
$(NF-1) ~ /"cgi-bin"/ { CgiBinNF++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mcgi-binNF\033[0m" }; printf("%s\t%s\t\033[1;32m%s\033[0m\n",a[2],$2,$(NF-1));}
$(NF-1) ~ /"print"/ { PrintNF++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mprintNF\033[0m" }; printf("%s\t%s\t\033[1;32m%s\033[0m\n",a[2],$2,$(NF-1));}
$(NF-1) ~ /"waitfor"/ { WaitforNF++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mwaitforNF\033[0m" }; printf("%s\t%s\t\033[1;32m%s\033[0m\n",a[2],$2,$(NF-1));}
$(NF-1) ~ /"delay"/ { DelayNF++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mdelay\033[0m" }; printf("%s\t%s\t\033[1;32m%s\033[0m\n",a[2],$2,$(NF-1));}
$(NF-1) ~ /\<chr\([0-9a-zA-Z]+\)\>/ { chrNF++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mchrNF\033[0m" }; printf("%s\t%s\t\033[1;32m%s\033[0m\n",a[2],$2,$(NF-1));}
$(NF-1) ~ /"DOCUMENT_ROOT"/ { DocRootNF++; split($1,a," "); if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mDOCUMENT_ROOT\033[0m" }; x[a[2]]++; printf("%s\t%s\t\033[1;32m%s\033[0m\n",a[2],$2,$(NF-1));}
$(NF-1) ~ /"exit"/ { ExitNF++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mexitNF\033[0m" }; printf("%s\t%s\t\033[1;32m%s\033[0m\n",a[2],$2,$(NF-1));}
$(NF-1 ) ~ /"function"/ { FunctionNF++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mfunctionNF\033[0m" }; printf("%s\t%s\t\033[1;32m%s\033[0m\n",a[2],$2,$(NF-1));}
( $(NF-1) !~ /Mozilla/ && $(NF-1) !~ /Outlook/ && $(NF-1) !~ /internal dummy connection/ && $3 !~ /200/ && $(NF-1) ~ /connect/ ) { ConnectNF++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mconnectNF\033[0m" }; printf("%s\t%s\t\033[1;32m%s\033[0m\n",a[2],$2,$(NF-1));}
$(NF-1) ~ /"disconnect"/ { DisconnectNF++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mdisconnectNF\033[0m" }; printf("%s\t%s\t\033[1;32m%s\033[0m\n",a[2],$2,$(NF-1));}
$(NF-1) ~ /[0-9a-zA-Z]{300,}/ { azAZ09NF++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31ma-zA-Z0-9-300\033[0m" }; printf("%s\t%s\t\033[1;32m%s\033[0m\n",a[2],$2,$(NF-1));}
$(NF-1) ~ /"base64"/ { Base64NF++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mbase64NF\033[0m" }; printf("%s\t%s\t\033[1;32m%s\033[0m\n",a[2],$2,$(NF-1));}
$(NF-1) ~ /\<eval\>/ { EvalNF++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mevalNF\033[0m" }; printf("%s\t%s\t\033[1;32m%s\033[0m\n",a[2],$2,$(NF-1));}
$(NF-1) ~ /"decode"/ { DecodeNF++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mdecodeNF\033[0m" }; printf("%s\t%s\t\033[1;32m%s\033[0m\n",a[2],$2,$(NF-1));}
$(NF-1) ~ /"wget([0-9]+)"/ { WgetNF++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mwgeNF\033[0m" }; printf("%s\t%s\t\033[1;32m%s\033[0m\n",a[2],$2,$(NF-1));}
$(NF-1) ~ /"expr"/ { ExprNF++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31mexprNF\033[0m" }; printf("%s\t%s\t\033[1;32m%s\033[0m\n",a[2],$2,$(NF-1));}
$(NF-1) ~ /"uname"/ { UnameNF++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31muanemNF\033[0m" }; printf("%s\t%s\t\033[1;32m%s\033[0m\n",a[2],$2,$(NF-1));}
$(NF-1) ~ /\$\([a-zA-Z0-9]+\)/ { azAZ09NF++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31m$(a-zA-Z0-9)\033[0m" }; printf("%s\t%s\t\033[1;32m%s\033[0m\n",a[2],$2,$(NF-1));}
$(NF-1) ~ /\$\{[0-9]+\}/ { CurlynumberNF++; split($1,a," "); x[a[2]]++; if ( SHOWLOG ) { $(NF-1)=$(NF-1)"\t\033[1;31m$(0-9)\033[0m" }; printf("%s\t%s\t\033[1;32m%s\033[0m\n",a[2],$2,$(NF-1));}
END {
printf("%-20s\t%d\n","azAZ09NF",azAZ09NF);
printf("%-20s\t%d\n","UnameNF",UnameNF);
printf("%-20s\t%d\n","ExprNF",ExprNF);
printf("%-20s\t%d\n","WgetNF",WgetNF);
printf("%-20s\t%d\n","DecodeNF",DecodeNF);
printf("%-20s\t%d\n","EvalNF",EvalNF);
printf("%-20s\t%d\n","Base64NF",Base64NF);
printf("%-20s\t%d\n","azAZ09NF",azAZ09NF);
printf("%-20s\t%d\n","DisconnectNF",DisconnectNF);
printf("%-20s\t%d\n","ConnectNF",ConnectNF);
printf("%-20s\t%d\n","FunctionNF",FunctionNF);
printf("%-20s\t%d\n","ExitNF",ExitNF);
printf("%-20s\t%d\n","DocRootNF",DocRootNF);
printf("%-20s\t%d\n","chrNF",chrNF);
printf("%-20s\t%d\n","DelayNF",DelayNF);
printf("%-20s\t%d\n","WaitforNF",WaitforNF);
printf("%-20s\t%d\n","PrintNF",PrintNF);
printf("%-20s\t%d\n","CgiBinNF",CgiBinNF);
printf("%-20s\t%d\n","PasswdNF",PasswdNF);
printf("%-20s\t%d\n","BinShNF",BinShNF);
printf("%-20s\t%d\n","PerlNF",PerlNF);
printf("%-20s\t%d\n","BashNF",BashNF);
printf("%-20s\t%d\n","SelectNF",SelectNF);
printf("%-20s\t%d\n","zhCNNF",zhCNNF);
printf("%-20s\t%d\n","WordPress",WordPress);
printf("%-20s\t%d\n","WpCron",WpCron);
printf("%-20s\t%d\n","WpAdmin",WpAdmin);
printf("%-20s\t%d\n","CgiBin",CgiBin);
printf("%-20s\t%d\n","Passwd",Passwd);
printf("%-20s\t%d\n","WpLogin",WpLogin);
printf("%-20s\t%d\n","Echo2",Echo2);
printf("%-20s\t%d\n","Eval2",Eval2);
printf("%-20s\t%d\n","Base64",Base64);
printf("%-20s\t%d\n","DOCROOT",DOCROOT);
printf("%-20s\t%d\n","SetTimeLimit",SetTimeLimit);
printf("%-20s\t%d\n","SetMagicQuotes",SetMagicQuotes);
printf("%-20s\t%d\n","FilePutContent",FilePutContent);
printf("%-20s\t%d\n","Magento",Magento);
printf("%-20s\t%d\n","PhpAdmin",PhpAdmin);
printf("%-20s\t%d\n","PhpMyAdmin",PhpMyAdmin);
printf("%-20s\t%d\n","FCKEditor",FCKEditor);
printf("%-20s\t%d\n","System2",System2);
printf("%-20s\t%d\n","Sqlite",Sqlite);
printf("%-20s\t%d\n","SQLManager",SQLManager);
printf("%-20s\t%d\n","WebEdit",WebEdit);
printf("%-20s\t%d\n","WpContent",WpContent);
printf("%-20s\t%d\n","WebSQL",WebSQL);
printf("%-20s\t%d\n","MySQLDumper",MySQLDumper);
printf("%-20s\t%d\n","webdb",webdb);
printf("%-20s\t%d\n","WebConsole",WebConsole);
printf("%-20s\t%d\n","Digit200",Digit200);
printf("%-20s\t%d\n","azAZ300",azAZ300);
printf("%-20s\t%d\n","WebManage",WebManage);
for ( j in x ) {
print j
}
}