User Tools

Site Tools


sandbox:search-infected-php

Search infected PHP files

Fist scan with maldet (+clamav for performance).

Searching suspicious words:

find . -type f -name '*.php' | xargs egrep -i "(shell_exec|system|stream_socket_client|gzinflate|system|passthru|eval|base64_decode) *\(" > /tmp/scanresult_suspicious.txt
 
find . -type f -name '*.php' | xargs egrep -i "eval/" > /tmp/scanresult_eval.txt
 
find . -name 'index.php' -size +1900c > /tmp/scanresult_indexmorekb.txt
 
find . -mtime -60 -name '*.php' > /tmp/scanresult_modified_php.txt
 
find . -type f -name '*.php' | xargs egrep -i "hacked|hacker|hack" > /tmp/scanresult_hacked.txt
 
find . -type f -name '*.php' | xargs grep -i "paypal" > /tmp/scanresult_paypal.txt
 
find . -type f -name '*.php' | xargs egrep -i "64_decode" > /tmp/scanresult_64_decode.txt
 
find . -type f -name '*.php' | xargs egrep -i "lohec35" > /tmp/scanresult_lohec35.txt
sandbox/search-infected-php.txt · Last modified: 2019/04/25 23:46 by dreiggy