CHAPTER 8 How to Fix The Web: Obscure Back-End Techniques and Terminal Secrets
word “eval” must have a word boundary before and after it, which prevents
it being found in the middle of words. You can combine this with the find
command above and pipe through less for easy reading:$ find /var/www/vhosts -mtime -1 \( -name \*php -o -name \*inc \) | sed
's/ /\\ /g' | xargs grep -H -e "\beval\b" | less
/var/www/vhosts/config.php:eval(gzinflate(base64_decode('HJ3HkqNQE...If you do find this type of hack in your website, try to discover how they
got in before completely removing all the tainted files.aCCeSS logS
Along with error logs, Apache also keeps access logs. You can browse these
for suspicious activity. For example, if you found a PHP hack inside an
innocuous looking file called test.php, you can look for all activity related to
that file. The access log usually sits alongside the error log and is specified
with the CustomLog directive in Apache configuration files. It contains the IP
address, date and file requested. Search through it with grep:$ grep -e "\(GET\|POST\) /test.php" /var/www/vhosts/smashingmagazine.com/
statistics/logs/error_log
70.1.5.12 - - [12/May/2013:20:10:49 +0100] "GET /test.php HTTP/1.1" 200
1707 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686;...This looks for GET and POST requests for the file test.php. It provides
you with an IP address, so you can now look for all other access by this
address, and also look for a specific date:$ grep 70.1.5.12 /var/www/vhosts/smashingmagazine.com/statistics/logs/er-
ror_log | grep "12/May/2013"
70.1.5.12 - - [12/May/2013:20:10:49 +0100] "GET /products/view.php?so-
mething HTTP/1.1" 200 1707 "-"...
70.1.5.12 - - [12/May/2013:20:10:49 +0100] "GET /test.php HTTP/1.1" 200
1707 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686;...