How to easily find infected/hacked files from the command line

This short guide will help you find potentially hacked files easily and fast, via linux ssh command line. No more editing files one by one hoping to find the hacked ones manually.

First of all, if you know the date that the hack has happened, you can find what php files were modified in the last days by using the command for the last day:

find /home -iname ‘*php’ -mtime -1 > /tmp/diff-$(date +%Y-%m-%d).log

You can change the number at mtime with whatever suits your needs.

If you want to send the results at your email you simply use this(after changing the email with yours):

mail address@youremail.com < /tmp/diff-$(date +%Y-%m-%d).log

 

This can help you find what was edited and then manually clean the files.

 

If you do not know when the hack has happened, you can find a large percentage of hacked files by searching for the $GLOBALS variable inside them. This is one of the most common ways malicious code is inserted in php files.

This can be done with the command (change USER with the username):

egrep -Rl ‘\$GLOBALS.*\\x’ /home/USER/public_html

Please note that there may be false positives.

Master of SEO, server management specialist, guru of web development. A living legend.

Leave a Reply