====== Search infected PHP files ======

Fist scan with maldet (+clamav for performance).
  * [[https://www.rfxn.com/projects/linux-malware-detect/]]

Searching suspicious words:
<code bash>
find . -type f -name '*.php' | xargs egrep -i "(shell_exec|system|stream_socket_client|gzinflate|system|passthru|eval|base64_decode) *\(" > /tmp/scanresult_suspicious.txt

find . -type f -name '*.php' | xargs egrep -i "eval/" > /tmp/scanresult_eval.txt

find . -name 'index.php' -size +1900c > /tmp/scanresult_indexmorekb.txt

find . -mtime -60 -name '*.php' > /tmp/scanresult_modified_php.txt

find . -type f -name '*.php' | xargs egrep -i "hacked|hacker|hack" > /tmp/scanresult_hacked.txt

find . -type f -name '*.php' | xargs grep -i "paypal" > /tmp/scanresult_paypal.txt

find . -type f -name '*.php' | xargs egrep -i "64_decode" > /tmp/scanresult_64_decode.txt

find . -type f -name '*.php' | xargs egrep -i "lohec35" > /tmp/scanresult_lohec35.txt
</code>