How to Find & Fix your Hacked Website

If you think or know your website or Web App has been hacked here are some useful commands to find out more.
For this document, I will assume you have a dedicated server or VPS with an SSH connection available.

Connect to your server using SSH and in turn, enter the following commands. If any result highlights a file it is worth looking at those files for malicious code:

Search for files containing eval, base64_decode, gzinflate & str_rot13. They will highlight the files found.

find . -type f -name '*.php' | xargs grep -l "eval *(" --color

find . -type f -name '*.php' | xargs grep -l "base64_decode *(" --color

find . -type f -name '*.php' | xargs grep -l "gzinflate *(" --color

find . -type f -name '*.php' | xargs grep -l "str_rot13 *(" --color

Another option is to search for files containing all of these strings:

find . -type f -name '*.php' | xargs grep -l "eval *(str_rot13 *(base64_decode *(" --color

The next command to try is to search for files that contain preg_replace, a common command used when hacking PHP.

find . -type f -name '*.php' | xargs egrep -i "preg_replace *\((['|\"])(.).*\2[a-z]*e[^\1]*\1 *," --color

And lastly, search for these Hex codes in files:

find . -type f -name '*.php' | xargs grep -il x29 --color

Checking Access Logs

Another important source for helping find hacked file are the access logs. If a file has been added to your server, search the logs for that filename to help identify the date and/or IP address of the hacker.
You can also use the following command which will search the log for you:

grep -i "filename\.php" /path-to-logs/access.log | less

I hope this has helped, spread the word on social media to people who you think this will help.

Source: https://www.gregfreeman.io/2013/how-to-tell-if-your-php-site-has-been-compromised/