find . -name '*.php' -exec grep -l '$msg=@gzinflate(@base64_decode(@str_replace' {} \; > rem01.txt
find ./images/ -name '*.php' > rem02.txt
find . -name '*.php' -exec grep -l 'preg_replace("/\.\*/e","' {} \; > rem03.txt
find . -name '*.php' -exec grep -l 'eval (base64_decode($_POST["php"]));' {} \; > rem04.txt
find . -name '.htaccess' -exec grep -l 'android|midp|j2me|symbian|series' {} \; > rem05.txt
find . -name '.htaccess' -exec grep -l 'google|ask|yahoo' {} \; >> rem05.txt
find . -name '*.php' -exec grep -l 'if(@md5($_POST\["gif"\])' {} \; > rem06.txt
find . -name 'index.php' -exec grep -l '$_REQUEST\[.*\]; eval' {} \; > rem07.txt
find . -name '*.php' -exec grep -l '&& function_exists("getmxrr"))' {} \; > rem08.txt
find . -name '*.php' -exec grep -l '<br/>Security Code: <br/><input name="security_code" value=""/>' {} \; > rem09.txt
find . -name '*.php' -exec grep -l 'ncode(print_r(array(),1)),5,1).c),$c);}eval($d);' {} \; > rem10.txt
find . -name 'index.html' -exec grep -l '<META HTTP-EQUIV="Refresh" CONTENT="0; ' {} \; > rem11.txt
find . -name '*.php' -exec grep -l '= array("Google", "Slurp", "MSNBot"' {} \; > rem12.txt
find . -name 'index_backup.php' > rem13.txt
find . -name '*.jpg' -exec grep -l 'eval(base64' {} \; > rfix_jpg.txt
Search malicious code on the website
Save the code to a file, set the execute permissions (744, 764).
Place the file in the site root and execute it. After running in the root directory you will see several text files.
If malicious code is found, the entry in the text file will appear, containing the full path to the suspicious file.
Any additions and corrections are welcome.
Save the code to a file, set the execute permissions (744, 764).
Place the file in the site root and execute it. After running in the root directory you will see several text files.
If malicious code is found, the entry in the text file will appear, containing the full path to the suspicious file.
Any additions and corrections are welcome.
1 Response
find . -name '*.php' -exec grep -Erol '(\\x[[:xdigit:]]{2})+' {} \; > remHEX.txt
This lets you find the following structure:
\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28 ... \x29\x29\x29\x3B
Which corresponds to
eval(gzinflate(base64_decode( ... )));
Write a comment
You can use [html][/html], [css][/css], [php][/php] and more to embed the code. Urls are automatically hyperlinked. Line breaks and paragraphs are automatically generated.