Here is a little code that I use to scan servers that I admin on for unwanted files. These include php shell’s and encoded files. You can add your own expressions as well. The expressions that I have listed are what I have found to most likely be in infected files.
Here is the code itself:
find /home/ \( -name "*.cgi" -o -name "*.php" \) -print0 | xargs -0 egrep -l 'c99shell|r57shell|WebShell|phpshell|shell|c100|base64' >> /root/report
This is how it works. It’s using the find command to scan for .cgi or .php files within the ‘/home/’ directory. It then pipes the files found with those extensions to xargs and egrep will scan the files for the listed expressions. These expression are c99shell, r57shell, WebShell, phpshell, shell, c100 and base64. If it finds any of these expressions within a certain file, it will append the file /root/report, and add the path to the file name. You can customize the command all you want. If you wanted to look in /home2/ you can just change the path in the command to /home2/.
To run this command, you will need to be the root user on the system, and of course, logged into an ssh terminal session. Once the command has been run, you can view the contents of the report using many different methods. You can use an editor such as nano, vi or vim (nano /root/report), or, you can just display the contents of the file in your shell, using cat (cat /root/report).