How to grep for possible php exploits in plesk
grep ‘((eval.*(base64_decode|gzinflate))|$[0O]{4,}|(\x[0-9a-fA-F]{2}){8,}|FilesMan|JGF1dGhfc|document.write(“\u00|sh(3(ll|11)))’ /var/www/vhosts/*/httpdocs/ -rnoE –include=*.php* >> /tmp/possible_bad_files
grep ‘((eval.*(base64_decode|gzinflate))|$[0O]{4,}|(\x[0-9a-fA-F]{2}){8,}|FilesMan|JGF1dGhfc|document.write(“\u00|sh(3(ll|11)))’ /var/www/vhosts/*/subdomains/*/httpdocs/ -rnoE –include=*.php* >> /tmp/possible_bad_files
then just go through /tmp/possible_bad_files to see if anything is really bad.
todo: expand this to search for preg_replace with /e modifiers