====== Finding malicious PHP code ======

Here I will be collecting different methods of finding malicious PHP code on a server.

===== Grep for it =====



Run the following command to get the list of all the files containing strings that are longer than 62 alphanumeric characters:

<code>
cd /your/web/directory
grep -r --include=*.php -e '[[:alnum:]]\{63,\}'
</code>

Now to find all the PHP files that contain alphanumeric characters including forward slashes and plus signs that are longer than 136 characters you just need to run the following command:

<code>
cd /your/web/directory
grep -r --include=*.php -e '[[:alnum:]\/\+]\{137,\}'
</code>

The above 2 commands are excellent for finding malicious/hacked files, and we use them when we are cleaning up a hacked Joomla website in order to weed out those files.

==== Don't forget JS files ====

Seeing as how I have nothing to do with javascript I thought it best to put these tidbits here. You can use the same method for JavaScript files, except that the numbers are different: for core JavaScript files, the maximum size of an alphanumeric string is 149 characters, and that of an alphanumeric string with pluses and forward slashes is 480. Which means that we will need to run the below commands to get those potentially malicious JavaScript files:

<code>
cd /your/web/directory
grep -r --include=*.js -e '[[:alnum:]]\{150,\}'
</code>

and

<code>
cd /your/web/directory
grep -r --include=*.js -e '[[:alnum:]\/\+]\{481,\}'
</code>

===== Searching for specific exploits =====

Here is a simple way to find specific script kiddie exploits

<code>
cd /your/web/directory
exploitpattern='r0nin|m0rtix|upl0ad|r57shell|cFaTaLisTiCz_Fx|Tukulesto|99shell|shellbot|phpshell|void\.ru|phpremoteview|directmail|bash_history|\.ru/|brute *force|multiviews|cwings|vandal|bitchx|eggdrop|guardservices|psybnc|dalnet|undernet|vulnscan|spymeta|raslan58|Webshell'

find ./ \( -regex '.*\.php$' -o -regex '.*\.cgi$' -o -regex '.*\.inc$' \) -print0 | xargs -0 egrep -il "$exploitpattern" | sort
</code>

===== Checking for eval =====

If you ask, quit a few PHP programmers will say that "eval" is one of the worst/dangerous functions ever added to PHP. However, it's perfect for hackers/script kiddies.

<code>
cd /your/web/directory
find -type f | grep -v ' ' | grep '.php'   | xargs grep 'php .*eval.*_POST'
</code>

===== Not clamming up =====

Let's not forget our beloved ClamScan util.

<code>
cd /your/web/directory
clamscan ./ -r -i | grep " FOUND"
</code>