anabelle · December 16, 2011 02:17
diff --git a/commands-to-find-malware.sh b/commands-to-find-malware.sh
 # files modified within 30 days.
 find /home/mywebsite -type f -name "*.php" -ctime -30   

 # find for suspicious strings
 find ./ -name "*.php" -type f |  xargs sed -i 's#<?php /\*\*/ eval(base64_decode("aWY.*?>##g' 2>&1
 find ./ -name "*.php" -type f |  xargs sed -i '/./,$!d' 2>&1

 # grep for suspicious and very long strings
 grep -R "document.write(unescape" *
 grep -iR --include "*.js" "[a-zA-Z0-9\/\+]\{255,\}" *
 grep -iR --include "*.php" "[a-zA-Z0-9\/\+]\{255,\}" *

 # fix file permissions (755 for folders, 644 for files)
 chmod -R 755 *
 find -type f -print0|xargs -0 chmod 644
	# files modified within 30 days.
	find /home/mywebsite -type f -name "*.php" -ctime -30

	# find for suspicious strings
	find ./ -name ".php" -type f \| xargs sed -i 's#<?php /\\/ eval(base64_decode("aWY.?>##g' 2>&1
	find ./ -name "*.php" -type f \| xargs sed -i '/./,$!d' 2>&1

	# grep for suspicious and very long strings
	grep -R "document.write(unescape" *
	grep -iR --include ".js" "[a-zA-Z0-9\/\+]\{255,\}"
	grep -iR --include ".php" "[a-zA-Z0-9\/\+]\{255,\}"

	# fix file permissions (755 for folders, 644 for files)
	chmod -R 755 *
	find -type f -print0\|xargs -0 chmod 644