If your site is hacked, the check for edited files. Find all files modified within 30 days and then parsed that for base64 decodes (used to encrypt/hide coding)
Find the coding itself
# cd /home/domain/public_html # find . -type f -ctime -30 -iname "*.php" -exec grep "base64_decode" {} \;
Results
# find . -type f -ctime -30 -iname "*.php" -exec grep "base64_decode" {} \; $buf .= base64_decode($util->GetRandom($bytes, 0)); $data = base64_decode($data); $data = base64_decode( $data ); $data = base64_decode($data); $value = base64_decode($this->_currentTagContents); $challenge = base64_decode(substr($this->last_reply, 4)); $decoded = base64_decode( $value['encoded_serialized_instance'], true ); $flac->setStringMode(base64_decode($ThisFileInfo_ogg_comments_raw[$i]['value'])); $data = base64_decode($ThisFileInfo_ogg_comments_raw[$i]['value']); $decoded_sig = base64_decode($signature); $uncompressed =$this->_uncompress(base64_decode(strtr($compressed, '-_', '+/'))); return base64_decode($value); return base64_decode($value); $this->_accountKey = base64_decode($accountKey); $this->_accountKey = base64_decode($value); base64_decode((string)$xmlMessages[$i]->MessageText) return base64_decode($sessionRecord->serializedData); $incomingSignature = base64_decode($message->get('Signature')); if (base64_decode($token,true)){ $decoded_token = base64_decode($token,true); $raw_data = base64_decode($data); return base64_decode($b64); $challenge = base64_decode($challenge); $challenge = base64_decode(substr($this->last_reply, 4)); return base64_decode($b64); eval(base64_decode('TWFuIGlzIGRpc3Rpbmd1aXNoZWQsIG5vdCBvbmx5IGJ5IGhpcyByZWFzb24sIGJ1dCBieSB0aGlz'. $expected_raw_md5 = base64_decode( $expected_md5 );
As we can see – here is a excerpt from the base64 code. Now, lets find the file. To find the base64 coding, copy a bit of the base64 and run;
# find . -type f -ctime -30 -iname "*.php" -exec grep -l "TWFuIGlzIGR" {} \; ./basecode.php
Where that gibberish in the grep is a small tidbit of the base64 coding
The first one finds the coding itself. The second finds the file containing the coding.