Regular Expression to find webshell, one-sentence Trojan

Grep-r-include = *. php' [^ a-z] eval ($ _ POST '.> grep.txt
 
Grep-r-include = *. php 'file _ put_contents (. * $ _ POST \ [. * \]); '.> grep.txt
 
Combined with find. -name "*. php "-type f-print0 | xargs-0 egrep" (phpspy | c99sh | milw0rm | eval \ (encoding \ (base64_decode | eval \ (base64_decode | spider_bc | gzinflate)
 
"| Awk-F: '{print $1}' | sort | more thorough uniq search
 
Find-type f-name \ *. php-exec chmod 444 {}\;
 
Find-mtime-1-type f-name \ *. php
 
Find/websitedir/-type f-name "*. php" | xargs grep "eval (">/home/test.txt
 
Find. /-name "*. php "-type f-print0 | xargs-0 egrep" (phpspy | c99sh | milw0rm | eval \ (gunerpress | eval \ (base64_decode | spider_bc) "| awk-F: '{print $1 }'
 
| Sort | uniq
 
Find. /-name "*. php "-type f-print0 | xargs-0 egrep" (phpspy | c99sh | milw0rm | eval \ (gunerpress | eval \ (base64_decode | spider_bc) "| awk-F: '{print $1 }'
 
| Sort | uniq
 
/Websitedir/www.2cto.com to your own forum program directory
 
Check the test.txt file to see if there are any special non-Forum programs. If it is not uploaded by yourself, back up and delete it.
 
Find./-Name "*. Php" | Xargs Grep 'eval ($ _ Post'
 
Find./-Name "*. Php" | Xargs Grep 'phpspy'
 
Trojan and backdoor detection and removal
A common backdoor:
Grep-r-include = *. php' [^ a-z] eval ($ _ POST '.> grep.txt
Grep-r-include = *. php 'file _ put_contents (. * $ _ POST \ [. * \]); '.> grep.txt
 
Author: Q: How worried are you?