Quickly scanning files & folders for malicious code

While we continue to use ClamAV and Maldet for detecting viruses and malware on the server, some times they do not detect them, in those situations here are some of the commands that we routinely use

ls -R | grep '\.php$'

1	ls -R \| grep '\.php$'

To show all the PHP files in a folder or subfolder, we run them on uploads to make sure there no PHP files in those folders.

grep -rnw '/var/www' -e '@include '

1	grep -rnw '/var/www' -e '@include '

Since many of these WordPress infections have @include in the code, the above command finds all the files with @include text, space is intentional.

find . -type f \( -name '*.php' -or -name '*.node' \) -exec grep -li "eval(base64_decode" {} \; 2>/dev/null | xargs perl -i -p0e 's/<\?php.*?\?>//s'

1	find . -type f $ -name '.php' -or -name '.node' $ -exec grep -li "eval(base64_decode" {} \; 2>/dev/null \| xargs perl -i -p0e 's/<\?php.*?\?>//s'

And here is another command that is useful in a WordPress based website, where we don’t expect most of the files to change regularly, you can run the following command to find a list of all files inside “/home/mywebsite” with the extension .php that have been changed within 30 days,

find /home/mywebsite -type f -name "*.php" -ctime -30

1	find /home/mywebsite -type f -name "*.php" -ctime -30

Updated on Jun 19, 2021