These snippets are based on this article
Starting points
Example of good check
[user@host home]$ wp checksum core --path=/home/user/public_html Success: WordPress install verifies against checksums.
Example of Issue
user@ubuntu-malware:~/public_html$ wp checksum core Warning: File should not exist: wp-admin/x.php Success: WordPress install verifies against checksums.
Search domlogs/accesslogs
awk '$9 ~ 200 && $6 ~ /POST/ { print }' /path/to/logs
swap out post with method you want to search GET, POST, HEAD
swap out 200 with request you want to search by, 200, 301, 302, 401, 404, 500, 503
find /path/to/investigate -ctime (# of days you want to look back for modified files)
for x in $(find / -type f -name '*.php'); do fgrep -HF ($Malware Terms) $x; done 2> /dev/null
Malware Terms
base64_decode
sh_decrypt_phase
eval
rot13
gzinflate
preg_replace
Scanners
Blazescan
Sucuri Sitescan: External service to scan the site for vulnerabilities and common malware.
Linux Malware Detect (maldet)
https://github.com/rfxn/linux-malware-detect
NeoPi
https://github.com/Neohapsis/NeoPI
ClamAV
https://www.clamav.net/downloads
OWASP Web Malware Scanner
https://github.com/maxlabelle/WebMalwareScanner
Minerchk (my own tool for crypto-mining malware)
https://github.com/Hestat/minerchk
Access
look for server logins:
last (command shows last ssh logins)