I had noticed that some sites I admin were showing blocks of nefarious code, if you’ve never been hacked it kinda looks something like this:

echo eval(base64_decode("BAD CODES HERE"));

I was then lucky enough to dig through the sites and find all instances of the bad/offensive code. Here are some Linux CLI commands to make that much easier:

grep "((eval.*(base64_decode|gzinflate))|r57|c99|sh(3(ll|11)))" . -roE --include=*.php*

Run this at your hosting root and it will give you some standard output for each file that has the bad code. Update all those files and lock the sites down, that is, make them read only so the bad codes can no longer spread.

Now to find out where they got in. Here’s one to help read through the logs:

grep --color=auto -n 'POST' ~/PATH/TO/HTTP/LOGS/* > ~/post_hack.txt

Update the command with the path to your HTTP logs, but be sure to leave the asterisk, since you will want to search all log files. That one will print standard output into the post_hack.txt file so you can do some light reading to figure out where the intrusion originated. Most likely there will be some gibberish PHP file making a bunch of POST requests.

Good luck.

Published on September 18, 2012