Find WebShell
### Grep
grep -Rn "include *(" /var/www grep -Rn "require *(" /var/www grep -Rn "include_once *(" /var/www grep -Rn "require_once *(" /var/www grep -Rn "shell_exec *(" /var/www grep -Rn "base64_decode *(" /var/www grep -Rn "phpinfo *(" /var/www grep -Rn "system *(" /var/www grep -Rn "php_uname *(" /var/www grep -Rn "chmod *(" /var/www grep -Rn "fopen *(" /var/www grep -Rn "fclose *(" /var/www grep -Rn "readfile *(" /var/www grep -Rn "edoced_46esab *(" /var/www grep -Rn "eval *(" /var/www grep -Rn "passthru *(" /var/www grep -RPn "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile|php_uname|eval|tcpflood|udpflood|edoced_46esab) *\(" /var/www
### Find
find . -name "*.php" | xargs grep -H "hello" find . -name '*.php' -exec grep -H "hello" {} \; find . -name "*.jsp" | xargs grep -RPn "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile|php_uname|eval|tcpflood|udpflood|edoced_46esab) *\(" find . -name '*.php' -exec grep -HRPn "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile|php_uname|eval|tcpflood|udpflood|edoced_46esab) *\(" {} \;