grep word recursively in file extension

Lately I’ve been cleaning a lot of WordPress websites from malware code, and the simple way for me was to use grep recursive search to find certain patterns in uploaded .php files.

So here is my way of searching the hack patterns such as eval, base64_decode etc which are also included in .js files and sometimes I search base64 which can be in a lot of .css files. It’s kind of a shorten grep manual.

grep recursively for “some pattern” in PHP files

My grep command is:

grep -R --include='*.php' 'text pattern' /path/for/searching/

My usual recursive grep command when I am IN the directory I want to search:

cd /path/for/searching/
grep  -R --include='*.php' 'eval(' ./

If you need this grep to search for multiple extensions such as .py, .pl, .sh you can use the following command:

grep  -R --include='*.{py,pl,sh}' 'your word' /path/for/searching

This way you will exclude binary files, images that will make your search faster and easy for you to find what you are looking for.

BONUS: You can add –color in the grep command so it will be easier to spot the word

grep - -color command

My final command for searching eval() in .php files:

grep --color -R --include='*.php' 'eval(' ./

Happy malware hunting :)

grep manual

Notify of
Inline Feedbacks
View all comments