If you have a large site with a lot of files it can be very difficult, or at least very time consuming to locate any obfuscated php code on your site. This simple script will work on most, not all sites. The script is a PHP script so your server/site must support PHP for it to run. To use the script open a text editor then copy and paste the script below. There are two versions of the script in the grey box below. The first listing is the php code only without ant comments. The second copy contains comment lines that explain the what the various lines of code do. You should only copy one of the versions. Save the file the name does not matter, but the file must have a .php extension, I use find-string.php . Once you have saved the file upload the file in the root directory of your site. Next open the file in your browser http://yoursite.com/find-string.php or whatever you have named the file. If you have a large site with lots of files it can take awhile to run. If the script worked you should see as a minimum the find-string.php returned, the line
./your-file-name.php -> contains base64_decode
and hopefully any other files containing the string base64_decode. The files will be listed like this
./the directory/the file name.php,
the path/filename of the file containing the string. With some sites you might see a path/filename like this
/???/???/.temp/.tmp.php
the name of the sub-directory and file both start with a . Starting a folder or filename with a . is used to signify a “system” folder or file. Some ftp programs will not show a system folder/file with the default configuration so you may need to specify something like “show hidden files” or “display system files” to see them in your ftp program.
Once (if) you have gotten the list of files be sure to go back and delete this script/file, find-string.php from your server DO NOT LEAVE IT IN PLACE! Keep a copy on your local computer and if you ever need to use it again (hopefully not) just upload it to your site again. The script can not harm your site but if you leave it in place, particularly if you use the default name of find-string.php anyone could open it in their browser and it could give them some insight into your file structure etc.
The script:
<html><head><title>Find String</title></head><body> <?php // ini_set('max_execution_time', '0'); // ini_set('set_time_limit', '0'); find_files('.'); function find_files($seed) { if(! is_dir($seed)) return false; $files = array(); $dirs = array($seed); while(NULL !== ($dir = array_pop($dirs))) { if($dh = opendir($dir)) { while( false !== ($file = readdir($dh))) { if($file == '.' || $file == '..') continue; $path = $dir . '/' . $file; if(is_dir($path)) { $dirs[] = $path; } else { if(preg_match('/^.*\.(php[\d]?|txt|js|htaccess)$/i', $path)) { check_files($path); }} } closedir($dh); } } } function check_files($this_file){ $str_to_find[]='base64_decode'; $str_to_find[]='edoced_46esab'; // base64_decode reversed $str_to_find[]='preg_replace'; $str_to_find[]='HTTP_REFERER'; $str_to_find[]='HTTP_USER_AGENT'; if(!($content = file_get_contents($this_file))) { echo("<p>Could not check $this_file You should check the contents manually!</p>\n"); } else { while(list(,$value)=each($str_to_find)) { if (stripos($content, $value) !== false) { echo("<p>$this_file -> contains $value</p>\n"); } } } unset($content); } ?> </body></html>
Source: https://aw-snap.info/articles/base64-decode.php