Search for PHP shell scripts and PHP exploits

Replace the path below (.) with the absolute path of the directory you want to recursively scan. For example, you could recursively scan from the working directory:

grep '((eval.*(base64_decode|gzinflate|\$_))|\$[0O]{4,}|FilesMan|JGF1dGhfc|IIIl|die\(PHP_OS|posix_getpwuid|Array\(base64_decode|document\.write\("\\u00|sh(3(ll|11)))' . -roE --include=*.php*

Path to replace . which will all public-facing web folders on a Cpanel server:

/home/*/public_html/

So it will be:

grep '((eval.*(base64_decode|gzinflate|\$_))|\$[0O]{4,}|FilesMan|JGF1dGhfc|IIIl|die\(PHP_OS|posix_getpwuid|Array\(base64_decode|document\.write\("\\u00|sh(3(ll|11)))' /home/*/public_html/ -roE --include=*.php*