This short guide will help you find potentially hacked files easily and fast, via linux ssh command line. No more editing files one by one hoping to find the hacked ones manually.
First of all, if you know the date that the hack has happened, you can find what php files were modified in the last days by using the command for the last day:
You can change the number at mtime with whatever suits your needs.
If you want to send the results at your email you simply use this(after changing the email with yours):
mail address@youremail.com < /tmp/diff-$(date +%Y-%m-%d).log
This can help you find what was edited and then manually clean the files.
If you do not know when the hack has happened, you can find a large percentage of hacked files by searching for the $GLOBALS variable inside them. This is one of the most common ways malicious code is inserted in php files.
This can be done with the command (change USER with the username):
How to easily find infected/hacked files from the command line
This short guide will help you find potentially hacked files easily and fast, via linux ssh command line. No more editing files one by one hoping to find the hacked ones manually.
First of all, if you know the date that the hack has happened, you can find what php files were modified in the last days by using the command for the last day:
find /home -iname ‘*php’ -mtime -1 > /tmp/diff-$(date +%Y-%m-%d).logYou can change the number at mtime with whatever suits your needs.
If you want to send the results at your email you simply use this(after changing the email with yours):
mail address@youremail.com < /tmp/diff-$(date +%Y-%m-%d).logThis can help you find what was edited and then manually clean the files.
If you do not know when the hack has happened, you can find a large percentage of hacked files by searching for the $GLOBALS variable inside them. This is one of the most common ways malicious code is inserted in php files.
This can be done with the command (change USER with the username):
egrep -Rl ‘\$GLOBALS.*\\x’ /home/USER/public_htmlPlease note that there may be false positives.
Michalis Michailidis
Master of SEO, server management specialist, guru of web development. A living legend.
You might also like
Roundcube emails not showing after migration
Outgoing email problem -> 550 Access denied – Invalid HELO name
A better backup system for WHM/cPanel – Jet Backup Manager
Change dedicated WHM IP to shared