List all files in the folder /site/ reverse sorted by modifed date
find /site/ -type f -printf '%TY-%Tm-%Td %TT %p\n' | sort -r | more
List all php files in the folder /var/www/html/site/ reverse sorted by modifed date
find /site/ -type f -printf '%TY-%Tm-%Td %TT %p\n' | sort -r | grep php | more
grep -r --include=*.php --include=*.js "base64" /var/www/html/site/
This is what each parameter means:
--include: file extentions
"base64": search term to look for
/var/www/html/site/: start folder
You have a WordPress blog that has been compromised or hacked. Some script on the server is sending spam emails and you do know which one. Try the following steps to find and remove the bad script.
1. Create a file called phpmail.log
2. Change permissions on the file so that the web server can write to it. This can be done in many ways.
chown httpd:httpd /var/log/phpmail.log
chmod 777 /var/log/phpmail.log
3. Locate your php.ini file (in case of RHEL, CenOS and SuSE, it will here: /etc/php.ini). Edit/add the following two lines are in file
mail.add_x_header = On
mail.log = /var/log/phpmail.log
4. Restart your web server
service httpd restart
5. Now tail the log file…
tail -f /var/log/phpmail.log
When an email is sent from a PHP script you will see an entry in the log that looks like this…
mail() on [/var/www/html/site2/wp-content/plugins/wp-image-hover-lite/admin/functions.php(1967) : eval()’d code:775]: To: firstname.lastname@example.org — Headers: Date: Mon, 26 Dec 2016 06:55:17 +0000 From: Joe Smith <email@example.com> Message-ID: <firstname.lastname@example.org> X-Priority: 3 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=”b1_5cd2be098536da5aefaba80101b8a1a3″ Content-Transfer-Encoding: 8bit
In this case the offending script can be seen in bold above. Check out this script and delete it if it looks suspicious.