Find possible hacked files in Linux

,

These commands can be used to find files with matching code that could be possible hacked files.

find . -type f -name '*.php' | xargs grep -l "eval" --color
or
find . -type f -name '*.php' | xargs grep -l "eval *(" --color
or
find . -type f -name '*.php' | xargs grep -l "eval *("\\" --color

find . -type f -name '*.php' | xargs grep -l "hex2bin" --color

Another php function that you could look for as well is str_rot13

find . -type f -name '*.php' | xargs grep -l "preg_replace *("\\" --color
find . -type f -name '*.php' | xargs grep -l "base64_decode *(" --color
find . -type f -name '*.php' | xargs grep -l "gzinflate *(" --color
find . -type f -name '*.php' | xargs grep -l "eval *(str_rot13 *(base64_decode *(" --color

//the following find echos the line found in the search
find . -name "*.php" -exec grep -H "*search content here*" {} ;
find . -name "*.php" -exec grep -H "eval(" {} ;
find . -name "*.php" -exec grep -H "str_replace *(" {} ;

//These are a couple that may return more false positives but it is sometimes better to get them then not.  _REQUEST is often used but it is also often used in regular programming so this one will give you a lot of false positives.  The display errors 0 is something they use to try to hide the errors so not too many people would use this.
find . -name "*.php" -exec grep -H "_REQUEST" {} ;
find . -name "*.php" -exec grep -H "ini_set("display_errors", *0);" {} ;
Skills

Posted on

April 12, 2015

Submit a Comment

Your email address will not be published. Required fields are marked *