Having dealt with many hacked websites over the years it is common knowledge that hackers love to use base64 encoded files and eval function to take control of websites and exploit them to the best of their ability.
If you are dealing with a hacked website you can scan for files containing base64 code with the following:
find /path/to/scan/ -type f -exec grep "base64" '{}' \; -print &> /path/to/output/base64-detections.txt
Obviously replacing /path/to/scan/ with the directory you wish to scan and /path/to/output/base64-detections.txt with the location you wish to place the output.
After this is done the easiest way to find complete paths to the files which are returned is by using the following:
cat /path/to/output/base64-detections.txt | grep /path/to/scan/
Each file that is returned should be checked to ensure it is authentic. Anything that has been maliciously tampered with should be replaced with the original. If you are dealing with WordPress core files for example, you could choose to md5sum your file with the original inside the WordPress github repository.
To scan for files containing eval use the following code:
find /path/to/scan/ -type f -exec grep "eval" '{}' \; -print &> /path/to/output/eval-detections.txt
Obviously replacing /path/to/scan/ with the directory you wish to scan and /path/to/output/eval-detections.txt with the location you wish to place the output.
After this is done the easiest way to find complete paths to the files which are returned is by using the following:
cat /path/to/output/eval-detections.txt | grep /path/to/scan/
Again each file that is returned should be checked to ensure it is authentic. Developers should be avoiding the use of eval so this is something to bear in mind. Many web servers have eval disabled by default to prevent some of the issues it causes.
Anything that has been maliciously tampered with should be replaced with the original. If you are dealing with WordPress core files for example, you could choose to md5sum your file with the original inside the WordPress github repository.
Locating malicious files and replacing them is not enough to prevent further hacking on a website. It's important you find and patch the point of entry to prevent the website being targeted again. Websites should be penetration tested frequently and you should fix any issues with your code where exploitation can be performed. This guide is a few simple tips when attempting to cleanup a hacked website.