Find malware scripts on your server


grep -Rn 'GIF89aG' /var/www


grep -Rn 'shell *(' /var/www
grep -Rn 'tcp *(' /var/www
grep -Rn 'system *(' /var/www


grep -Rn 'eval(base64_decode(' /var/www
grep -Rn 'eval(gzinflate(base64_decode(' /var/www
grep -Rn 'eval(gzuncompress(base64_decode(str_rot13(' /var/www
grep -Rn 'eval(str_rot13(gzinflate(base64_decode(' /var/www

or searching for these function with one commans


grep -RPn '(system|shell|tcp) *\(' /var/www

If you do not want the content of the script to be disaplyed instead just need the name of the file use

grep -RlPn '(system|shell|tcp) *\(' /var/www

other examples


grep -Rn 'shell_exec *(' /var/www
grep -Rn 'base64_decode *(' /var/www
grep -Rn 'phpinfo *(' /var/www
grep -Rn 'system *(' /var/www
grep -Rn 'php_uname *(' /var/www
grep -Rn 'chmod *(' /var/www
grep -Rn 'fopen *(' /var/www
grep -Rn 'fclose *(' /var/www
grep -Rn 'readfile *(' /var/www
grep -Rn 'edoced_46esab *(' /var/www
grep -Rn 'eval *(' /var/www
grep -Rn 'passthru *(' /var/www

Find out www-data owner files


find /var/www -user www-data

Tags

Find malware scripts on your server