2

On my server spamming files are uploaded , which start with 

<?php ${"\x47\x4cO\x42A\x4c\x53"}["cgw\x71\x77\x77\x64\x79q"]

I'm trying to find all files on server which is having above string and delete the file. For that I'm using following command. 

 find . | xargs grep -l -r '<?php ${/"\x47\x4cO\x42A\x4c\x53/"}' /home/ | awk '{print "rm "$1}' > doit.sh

But seems it is not working. Anyone have suggestion for command so that i can delete all this malicious file.

SSK
  • 123

1 Answers1

2

It'd be good to know the OS (Linux? Which Distro?). But this one will probably work on most them:

fgrep -rl '<?php ${"\x47\x4cO\x42A\x4c\x53"}["cgw\x71\x77\x77\x64\x79q"]' * |xargs echo rm

I also agree with BE77Y, you should look into how these files are appearing on your server.

Gustavo Maia
  • 401