Linux Find naming Quick search for poisoned files

Now the virus species on the computer more and more, the likelihood of encountering the virus is also more and more big, sometimes poisoning things are also impossible, this is not, today's small Linux system computer is infected with the virus, affecting the normal use of the computer, in order to solve the virus must first find the virus file, it will be cleared before it can be resolved. So how do you find the virus file? In fact, there is a Find command in the Linux system where you can locate the virus file. The following small series on the example to teach you find how to locate the virus.

Example

Find wwwroot/*-type f-name "*.php |xargs grep" eval ("") wwwroot/eval.txt

Find wwwroot/*-type f-name "*.php" |xargs grep "UDP:" Wwwroot/udp.txt

Find wwwroot/*-type f-name "*.php" |xargs grep "tcp:" "Wwwroot/tcp.txt

Let's add

The popular signature on the Internet is: (PS: But there must be a legacy)

Back door Features-"cha88.cn"

Back door Features-"C99shell"

Back door Features-"Phpspy"

Back door Features-"scanners"

Back door Features-"cmd.php"

Back door Features-"str_rot13"

Back door Features-"Webshell"

Back door Features-"Egy_spider"

Back door Features-"tools88.com"

Back door Features-"Secforce"

Backdoor Features-"eval" ("?")

Suspicious code characteristics-"System" (

Suspicious code Features-"PassThru" (

Suspicious code Features-"Shell_exec" (

Suspicious code characteristics-"EXEC" (

Suspicious code Features-"Popen" (

Suspicious code Features-"Proc_open"

Suspicious code characteristics-"eval" ($

Suspicious code characteristics-"Assert" ($

Dangerous MySQL Code-"returns string Soname

Dangerous MySQL code-"into outfile

Dangerous MySQL code-"Load_file"

Cryptographic Backdoor Features-"eval" (Gzinflate (

Cryptographic Backdoor Features-"eval" (Base64_decode (

Cryptographic Backdoor Features-"eval" (Gzuncompress (

Cryptographic Backdoor Features-"gzuncompress" (Base64_decode (

Cryptographic Backdoor Features-"Base64_decode" (Gzuncompress (

A word back door feature-"eval" ($_

A word back door feature-"Assert" ($_

A word back door feature-"Require" ($_

A word back door feature-"require_once" ($_

A word back door feature-"include" ($_

A word back door feature-"include_once" ($_

A word back door feature-"Call_user_func" ("Assert")

A word back door feature-"Call_user_func" ($_

A word back door feature-"$_post/get/request/cookie["? ($_post/get/request/cookie[?]

A word back door feature-"echo" (File_get_contents $_post/get/request/cookie

Uploading back door Features-file_put_contents ($_post/get/request/cookie,$_post/get/request/cookie)

Uploading backdoor Features-"fputs" (fopen ("?", "W"), $_post/get/request/cookie[

Htaccess Features-"SetHandler application/x-httpd-php"

Htaccess Features-"Php_value auto_prepend_file"

Htaccess Features-"Php_value auto_append_file"

The use of Linux system comrades can save this method, in case the computer is invaded by the virus can be used to help prevent the computer in the important files are missing, not afraid of 10,000 afraid of what if, or early preparation of good!