Finding Recently Modified PHP Files
find . -type f -name '*.php' -mtime -7
Search all PHP Files for Suspicious Code
find . -type f -name '*.php' | xargs grep -l "eval *(" --color
find . -type f -name '*.php' | xargs grep -l "base64_decode *(" --color
find . -type f -name '*.php' | xargs grep -l "gzinflate *(" --color
find . -type f -name '*.php' | xargs grep -l "base64_decode *(" --color
find . -type f -name '*.php' | xargs grep -l "gzinflate *(" --color
find wp-admin -type f -name '*.php' | xargs grep -l "gzinflate *(" --color
find . -type f -name '*.php' | xargs grep -l "eval *(str_rot13 *(base64_decode *(" --color
find . -type f -name '*.php' | xargs egrep -i "preg_replace *\((['|\"])(.).*\2[a-z]*e[^\1]*\1 *," --color
find . -type f -name '*.php' | xargs grep base64_ | less
find . -type f -name '*.php' | xargs grep base64_ > results.txt
find . -type f -name '*.php' | xargs grep -il x29
Always search your writable upload directories for executable code
find wp-content/uploads -type f -name '*.php'
find wp-content/uploads -type f | xargs grep -i php
find wp-content/uploads -type f -iname '*.jpg' | xargs grep -i php
find wp-content/uploads -type f -iname '*.jpg' | xargs grep -i php
Where else could malicious code be hiding?
grep -i '<iframe' mywebsite.txt
Check .htaccess Files if you use Apache
find . -type f -name '\.htaccess' | xargs grep -i auto_prepend_file;
find . -type f -name '\.htaccess' | xargs grep -i auto_append_file;