I search a tool to find inject malicious code in my PHP files. In each PHP file I had this inject:
eval(gzinflate(base64_decode('pRlrc9u48bM70/+AaBhTjGmJol5WbNpJE+fuZppLqjid6di...
Of course I use the shell to find and replace the inject. But each hour the inject is back. So some PHP file(s) are injected. I've more than 34 websites on this server - each website are injected.
My question now: Has somebody an idea to find the security hole? Maybe a online tool or a script which I can check all PHP files?
Thanks for your help.
I've used something like: grep -Rl "eval" . and grep -Rl "base64" . it can be a good start.
Try to search for patterns in the infected files.