If you think or know your website or Web App has been hacked here are some useful commands to find out more.
For this document, I will assume you have a dedicated server or VPS with an SSH connection available.
Connect to your server using SSH and in turn, enter the following commands. If any result highlights a file it is worth looking at those files for malicious code:
Search for files containing eval, base64_decode, gzinflate & str_rot13. They will highlight the files found.
find . -type f -name '*.php' | xargs grep -l "eval *(" --color
find . -type f -name '*.php' | xargs grep -l "base64_decode *(" --color
find . -type f -name '*.php' | xargs grep -l "gzinflate *(" --color
find . -type f -name '*.php' | xargs grep -l "str_rot13 *(" --color
Another option is to search for files containing all of these strings:
find . -type f -name '*.php' | xargs grep -l "eval *(str_rot13 *(base64_decode *(" --color
The next command to try is to search for files that contain preg_replace, a common command used when hacking PHP.
find . -type f -name '*.php' | xargs egrep -i "preg_replace *\((['|\"])(.).*\2[a-z]*e[^\1]*\1 *," --color
And lastly, search for these Hex codes in files:
find . -type f -name '*.php' | xargs grep -il x29 --color
Another important source for helping find hacked file are the access logs. If a file has been added to your server, search the logs for that filename to help identify the date and/or IP address of the hacker.
You can also use the following command which will search the log for you:
grep -i "filename\.php" /path-to-logs/access.log | less
I hope this has helped, spread the word on social media to people who you think this will help.
Source: https://www.gregfreeman.io/2013/how-to-tell-if-your-php-site-has-been-compromised/