Finding web shells on compromised linux servers
Finding web backdoor shells (1) grep -RPn "(system|phpinfo|pcntl_exec|python_eval|base64_decode|gzip|mkdir|fopen|fclose|read file|passthru)" (2) Install GIT and download git clone ssh://git@github.com:Neohapsis/NeoPI.git (see the documentation) (3) grep -RPl --include=*.{php,txt,asp} "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile) *\(" /var/www/ (4) grep -RPnDskip "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile) *\(" public_html/ Other Useful Links