Useful Linux commands for cleaning malware from WordPress sites

I recently sat down to clean a server hosting a bunch of old WordPress sites. You can imagine what that looked like - about third of them were hacked in every way imaginable. I encountered bitcoin miners, post injections, mass emailers.

I realized that one type of malware produced files named lndex.php (with an l not an i), master.php, security.php, cache.php.

This command will search for the specific file name:

find . -name 'lndex.php'

Here is how to check for all this these in one command:

find . \( -name 'lndex.php' -o -name 'master.php' -o -name 'security.php' -o -name 'cache.php' \)

Have in mind some of these may be valid files from your plugins. So you need to inspect these files for suspicious code (base64, binary etc.)

Another way of finding suspicious files is to find out what files have been modified in last say 10 days:

find ./ -ctime -10

To find *.php files that have been modified between two periods in time:

find . -name '*.php' -newermt 2014-08-27 ! -newermt 2014-08-30

Find and remove *.php files (for example in a folder they do not belong in like your uploads folder). Warning! Dangerous! Make sure you are in wp-content/uploads folder first!

find . -name '*.php' -exec rm -rf {} \;

Or if you want to run this in the root of several sites:

find . -name '*.php' | grep "wp-content/uploads" | xargs rm

One of the hacks I've found ran '/usr/bin/host/ preloading a hacked library. Nasty (but creative) stuff. I used this command to find all PHP files that were containing '/usr/bin/host' string:

grep -ri --include=*.php "/usr/bin/host" ./

In most cases I decided to delete the infected folders/plugins and re-install them where needed.

Sometime you need to find out what a certain process (that is taking too much CPU for example) is doing?

strace -p PID

This will filter it to open and close system calls, increase the output message length to 80 chars and dump output to a file.

strace -e open,close -s 80 -o log.txt -p PID

Was this answer helpful?

 Print this Article

Also Read

How to delete all files older than X

Use this Linux command to delete all files older than X.Example below is to delete all backups...

Monitoring Apache Connections

To see number of IP connections and IPs connected to port 80, use the following...

Restart Services via SSH

If a service will not restart from WHM, you may want to try to restart it from the command line....

Find and list large files on a Linux server

Lets say you want to find all files over 500MB  in a certain directory, go to that directory...