grep -lr --include=*.php "eval(base64_decode" /home find /home -type f -name '*.php' | xargs grep -l "eval *(" --color find /home -type f -name '*.php' | xargs grep -l "base64_decode *(" --color find /home -type f -name '*.php' | xargs grep -l "gzinflate *(" --color find /home -type f -name '*.php' | xargs grep -l "outdo" --color find /home -type f -name '*.php' | xargs grep -l "eval*_POST" --color find /home -type f -name '*.php' | xargs grep -l "$ptzrw" --color find /home/*/domains/*/public_html/wp-content/uploads -type f -name '*.php' find /home/ -type d -perm 777 -exec find {} -name "*.php" \; find wp-admin -type f -name '*.php' | xargs grep -l "gzinflate *(" --color find /home -type f -name '*.php' | xargs grep -l "eval *(str_rot13 *(base64_decode *(" --color find /home -type f -name '*.php' | xargs egrep -i "(mail|fsockopen|pfsockopen|stream_socket_client|exec|system|passthru|eval|base64_decode) *\(" --color find /home -type f -name '*.php' | xargs egrep -i "preg_replace *\((['|\"])(.).*\2[a-z]*e[^\1]*\1 *," --color find /home -type f -name '\.htaccess' | xargs grep -i auto_prepend_file; find /home -type f -name '\.htaccess' | xargs grep -i auto_append_file; awk -F\" '($2 ~ "/wp-admin/"){print $1}' /var/log/httpd/access_log | awk '{print $1}' | sort | uniq -c | sort -r awk -F\" '($2 ~ "/wp-admin/"){print $1}' /var/log/httpd/domains/*log | awk '{print $1}' | sort | uniq -c | sort -r awk -F\" '($2 ~ "qjhtwaba.php"){print $1}' /var/log/httpd/domains/*log | awk '{print $1}' | sort | uniq -c | sort -r awk -F\" '($2 ~ "c0nfig.php"){print $1}' /var/log/httpd/domains/*log | awk '{print $1}' | sort | uniq -c | sort -r awk '($9 ~ /404/)' /var/log/httpd/domains/*log | awk -F\" '($2 ~ "^GET .*\.php")' | awk '{print $7}' | sort | uniq -c | sort -r | head -n 20 awk -F\" '{print $2}' /var/log/httpd/access_log | awk '{print $2}' | sort | uniq -c | sort -r cat /var/log/httpd/access_log | grep -E "wp-admin|wp-login|POST /" | awk '{print $1 "\t" $7}' grep '((eval.*(base64_decode|gzinflate|\$_))|\$[0O]{4,}|FilesMan|JGF1dGhfc|IIIl|die\(PHP_OS|posix_getpwuid|Array\(base64_decode|document\.write\("\\u00|sh(3(ll|11)))' /home -lroE --include=*.php* grep 'eval\(stripslashes\(\$_REQUEST' /home -lroE --include=*.php* grep 'eval\(\$_POST' /home -lroE --include=*.php* grep 'shell_exec' /home -lroE --include=*.php* grep 'if\(isset\(\$_REQUEST\[\$post_var' /home -lroE --include=*.php* grep "eval" /home -lroE --include=*.ico* find /home/ -name "*".php -type f -print0 | xargs -0 grep "create_function" | grep "base" | grep "COOKIE" --color find /home/ -name "*".php -type f -print0 | xargs -0 grep "exit" | grep "eval" | grep "GLOBALS" --color find /home/ -name "*".php -type f -print0 | xargs -0 grep "isset" | grep "eval" | grep "strtoupper" --color grep -R -rnw '/var/log/httpd/domains/omranifard.com.log' -e "sqatrhjf.php" | cut -d ":" -f 2 | cut -d " " -f 1 find /home/ -name "*".php -type f -print0 | xargs -0 grep r57 | uniq -c | sort -u | cut -d":" -f1 | awk '{print "rm -rf " $2}' | uniq find /home/ -name "*".php -type f -print0 | xargs -0 grep c99 | uniq -c | sort -u | cut -d":" -f1 | awk '{print "rm -rf " $2}' | uniq grep 'create_function|base64_decode' /home -lroE --include=*.php* grep -E 'char|nchar|varchar|nvarchar|alter|begin|cast|create|cursor|declare|delete|drop|end|exec|execute|fetch|insert|kill|open|select|sys|sysobjects|syscolumns|table|update' /var/log/httpd/access_lo* grep -R —include="*.php" -rnw '/home/' -e "GLOBALS\[\$GLOBALS" find /home/ -name "*".php -type f -print0 | xargs -0 grep "SHELL_PASSWORD" | awk '{print $1}' find /home/ -name "*".php -type f -print0 | xargs -0 grep "auth_pass" | grep "base64_decode" | awk '{print $1}' find /home/ -name "*".php -type f -print0 | xargs -0 grep "57hom" | awk '{print $1}' find /home/ -name "*".php -type f -print0 | xargs -0 grep "wp_kses_data" | grep "wp_nonce" | grep "null" | grep "_wp_admin_bar_init"| awk '{print $1}' find /home/ -name "*".php -type f -print0 | xargs -0 grep "^" | grep "exit" | grep "Array" | awk '{print $1}' find /home/ -name "*".php -type f -print0 | xargs -0 grep "return" | grep "strlen" | grep "Array" | grep "isset" | grep "rawurl" | awk '{print $1}'