Finding compromised code
Most hacks are automated, or sloppy, and because of that they almost always exhibit a few of the same traits.
We want to start by searching for PHP trying to execute on the command line.
I always use “ack!” to search with, yu can download it here:
http://beyondgrep.com/install/
Its super fast and uses much less CPU overhead than grep, which is great if you’re server is already under pressure from a hack.
PHP
So search for any PHP files with the following keywords:
base64_encode
base64_decode
exec
shell_exec
eval
unescape
gzinflate