#!/bin/bash

SITES_DIR="/homez.432/citronze/www/hosting"
REPORT_DIR="/homez.432/citronze/scan_reports"
DAYS=7

mkdir -p "$REPORT_DIR"

for SITE_PATH in "$SITES_DIR"/*/; do
  SITE=$(basename "$SITE_PATH")
  [ "$SITE" = "non-wp" ] && continue
  REPORT_FILE="$REPORT_DIR/$SITE.txt"
  REPORT="=== SCAN SÉCURITÉ : $SITE ===\nDate : $(date)\n\n"

  PHP_SUSPECTS=$(find "$SITE_PATH" -name "*.php" ! -path "*/wp-content/uploads/*" | grep -E '/[a-z0-9]{8,}\.php$' | grep -vE '/(wp-admin|wp-includes|plugins|themes|mu-plugins|wflogs)/' 2>/dev/null)
  PNG_SUSPECTS=$(find "$SITE_PATH/wp-content" -maxdepth 1 -name "*.png" 2>/dev/null)
  EVAL_SUSPECTS=$(grep -rl --include="*.php" -e 'eval(' -e 'base64_decode(' "$SITE_PATH" --exclude-dir=wp-includes --exclude-dir=wp-admin --exclude-dir=plugins --exclude-dir=themes 2>/dev/null | head -30)
  RECENT=$(find "$SITE_PATH" -name "*.php" ! -path "*/uploads/*" ! -path "*/cache/*" ! -path "*/wp-includes/*" ! -path "*/wp-admin/*" -mtime -"$DAYS" 2>/dev/null)
  HIDDEN=$(find "$SITE_PATH/wp-content" -name ".*" -not -name ".htaccess" -not -name ".min" -not -name ".gitattributes" -not -name ".gitignore" -not -name ".claude" -not -name ".DS_Store" -not -name ".gitkeep" -not -name ".npmignore" -not -name ".buildignore" -not -name ".gitleaksignore" -not -name ".source" -not -name ".hsdoc" -not -name ".phplint.yml" -not -name ".vscode" -not -name ".circleci" -not -name ".php-cs-fixer.dist.php" -not -name "*.xml" -not -name ".github" -not -name ".php_cs" -not -name ".php_cs.dist" -not -name ".styleci.yml" -not -name ".trash" -not -name ".DS_Store" -not -name ".gitkeep" -not -name ".npmignore" -not -name ".buildignore" -not -name ".gitleaksignore" -not -name ".source" -not -name ".hsdoc" -not -name ".phplint.yml" -not -name ".vscode" -not -name ".circleci" -not -name ".php-cs-fixer.dist.php" -not -name "*.xml" 2>/dev/null)
  WP_CONTENT_PHP=$(find "$SITE_PATH/wp-content" -maxdepth 1 -name "*.php" ! -name "index.php" ! -name "advanced-cache.php" 2>/dev/null)
  PNG_BACKDOORS=$(find "$SITE_PATH/wp-admin/images/" "$SITE_PATH/wp-admin/js/" -maxdepth 1 -name "*.png" 2>/dev/null | xargs -r file | grep -v "PNG image")
  RND_FILES=$(find "$SITE_PATH/wp-admin" -maxdepth 1 -name ".rnd" 2>/dev/null)
  PHP_WPADMIN_CSS=$(find "$SITE_PATH/wp-admin/css/" -maxdepth 1 -name "*.php" 2>/dev/null)
  # css/dist ne contient légitimement que registry.php (core WP >= 6.6) : un simple
  # registre de styles de blocs, inerte (return array(...)). On ne le flague donc QUE
  # s'il contient un motif exécutable/suspect (backdoor déguisé sous ce nom). Tout AUTRE
  # .php dans css/dist reste flaggé, et un registry.php piégé aussi. Version-indépendant.
  PHP_INCLUDES_DIST=$(find "$SITE_PATH/wp-includes/css/dist/" -maxdepth 1 -name "*.php" 2>/dev/null | while read -r f; do
    if [ "$(basename "$f")" = "registry.php" ] && ! grep -qiE 'eval\(|base64_decode|gzinflate|gzuncompress|str_rot13|assert\(|system\(|exec\(|passthru|shell_exec|popen|proc_open|create_function|preg_replace.*/e|\$_(GET|POST|REQUEST|COOKIE|SERVER)|call_user_func' "$f"; then
      continue
    fi
    echo "$f"
  done)

  [ -n "$PHP_SUSPECTS" ] && REPORT+="⚠️  PHP SUSPECTS :\n$PHP_SUSPECTS\n\n" || REPORT+="✅ PHP suspects : aucun\n\n"
  [ -n "$PNG_SUSPECTS" ] && REPORT+="⚠️  PNG racine wp-content/ :\n$PNG_SUSPECTS\n\n" || REPORT+="✅ PNG racine wp-content : aucun\n\n"
  [ -n "$EVAL_SUSPECTS" ] && REPORT+="⚠️  eval/base64_decode :\n$EVAL_SUSPECTS\n\n" || REPORT+="✅ eval/base64_decode : aucun\n\n"
  [ -n "$RECENT" ] && REPORT+="⚠️  PHP modifiés < ${DAYS}j :\n$RECENT\n\n" || REPORT+="✅ Fichiers récents : aucun\n\n"
  [ -n "$HIDDEN" ] && REPORT+="⚠️  Fichiers cachés suspects :\n$HIDDEN\n\n" || REPORT+="✅ Fichiers cachés : aucun\n\n"
  [ -n "$WP_CONTENT_PHP" ] && REPORT+="⚠️  PHP racine wp-content/ :\n$WP_CONTENT_PHP\n\n" || REPORT+="✅ PHP racine wp-content : aucun\n\n"
  [ -n "$PNG_BACKDOORS" ] && REPORT+="⚠️  PNG BACKDOORS wp-admin/ :\n$PNG_BACKDOORS\n\n" || REPORT+="✅ PNG wp-admin : aucun\n\n"
  [ -n "$RND_FILES" ] && REPORT+="⚠️  .rnd wp-admin/ :\n$RND_FILES\n\n" || REPORT+="✅ .rnd : aucun\n\n"
  [ -n "$PHP_WPADMIN_CSS" ] && REPORT+="⚠️  PHP wp-admin/css/ :\n$PHP_WPADMIN_CSS\n\n" || REPORT+="✅ PHP wp-admin/css : aucun\n\n"
  [ -n "$PHP_INCLUDES_DIST" ] && REPORT+="⚠️  PHP wp-includes/css/dist/ :\n$PHP_INCLUDES_DIST\n\n" || REPORT+="✅ PHP wp-includes/css/dist : aucun\n\n"

  echo -e "$REPORT" > "$REPORT_FILE"
  echo "→ $SITE scanné"
done

echo "✅ Terminé. Rapports dans $REPORT_DIR"

# Scan léger sites non-WP
for SITE_PATH in "$SITES_DIR/non-wp"/*/; do
  SITE=$(basename "$SITE_PATH")
  REPORT_FILE="$REPORT_DIR/$SITE.txt"
  REPORT="=== SCAN non-WP : $SITE ===\nDate : $(date)\n\n"

  PHP_SUSPECTS=$(find "$SITE_PATH" -name "*.php" 2>/dev/null)
  RECENT=$(find "$SITE_PATH" -name "*.php" -o -name "*.js" -o -name "*.html" -mtime -"$DAYS" 2>/dev/null)

  [ -n "$PHP_SUSPECTS" ] && REPORT+="⚠️  PHP détectés :\n$PHP_SUSPECTS\n\n" || REPORT+="✅ PHP : aucun\n\n"
  [ -n "$RECENT" ] && REPORT+="⚠️  Fichiers modifiés < ${DAYS}j :\n$RECENT\n\n" || REPORT+="✅ Fichiers récents : aucun\n\n"

  echo -e "$REPORT" > "$REPORT_FILE"
  echo "→ $SITE (non-wp) scanné"
done
