grep word recursively in file extension

Lately I’ve been cleaning a lot of WordPress websites from a lot of malware code and the simple way for me was to find certain patterns in uploaded .php file.

So here is my way of searching the hack patterns such as eval, base64_decode etc which are also included in .js files and sometimes i search base64 which can be in a lot of .css files.


grep recursively for PHP files with “some pattern”

My command is:

grep -R --include='*.php' 'text pattern' /path/for/searching/

My usual command when I’m into the directory i want to search

grep  -R --include='*.php' 'eval(' ./

If you need this command to search more extensions such as .py, .pl, .sh you can use the following command:

grep  -R --include='*.{py,pl,sh}' 'your word' /path/for/searching

This way you will exclude binary files, images which will make your search faster and easy for you to find what you are looking for.

Also you can add –color in the command so it will be easier to spot the word

grep - -color command

My final command for searching eval() in .php files:

grep --color -R --include='*.php' 'eval(' ./

Happy malware hunting :)

Grep manual:


Leave a Reply

Notify of