Hey I'm deciding to write this simple guide to protect all of those who run a web server and don't want to get rm -rf /'ed by somebody with access to a PHP shell on your server.

Method 1:
The first way is by using a *nix command. This command will only work if you're on a *nix system. If you're on windows, remove it and install *nix.
The command you want to execute is:

find /var/www -name "*".php -type f -print0 | xargs -0 grep r57 | uniq -c | sort -u | cut -d":" -f1 | awk '{print "rm -rf " $2}' | uniq


This will search /var/www for any .php file, with the content r57 within the files. Then it will sort the file using the -u tack which will do a unique sort. Then cut out the line of code. If you want to search for a disguised file such as a .gif file with:

find /var/www -name "*".gif -type f -print0 | xargs -0 grep r57 | uniq -c | sort -u | cut -d":" -f1 | awk '{print "rm -rf " $2}' | uniq


Also, you can take out the

awk '{print "rm -rf " $2}'

pipe as this will put "rm -rf" in front of the file allowing you to put the output into a file and run it to remove the files.
If you want to search for c99 you may have to change it, but in my experience this command works fine for finding all shells on a system. But you may want to search for other popular things within a shell. Here is a list of some popular things I've seen:

shell
0wned
owned
hacker
h4cker
was here
modded
Command execute
Safe-Mode Bypass
Safe-Mode:
Kernel:


Here is the example output from my local apache server that has a whole folder of PHP shells:

chronic@vandal:~$ find /var/www -name "*".php -type f -print0 | xargs -0 grep r57 | uniq -c | sort -u | cut -d":" -f1 | awk '{print "rm -rf " $2}' | uniq
rm -rf /var/www/temp/c99.php
rm -rf /var/www/temp/GNYshell.php
rm -rf /var/www/temp/php_listers/c99u.php
rm -rf /var/www/temp/php_listers/safe0ver.php
rm -rf /var/www/temp/php_listers/sniper.php
rm -rf /var/www/temp/r57.php
rm -rf /var/www/temp/c99.php


Easy. Found all but 3 PHP shells located in /var/www
Then you may proceed to remove the shells.

Method 2:
The second way is by looking through the log files. Log files are usually located in

/var/log


The apache log should be in /var/log/apache2/ with the name of access.log

If you look at the log you can get a detailed report of what is going on. Take this log for example from my system:

::1 - - [06/Feb/2011:16:34:39 -0500] "GET /GNYshell.php?file=%2Fetc%2Fpasswd HTTP/1.1" 200 6147 "http://localhost/GNYshell.php?act=cmd" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101206 Ubuntu/10.04 (lucid) Firefox/3.6.13"


The first ::1 is my IP(the local IP in this case). Then the date and the method used, in this case GET. Then we see the most vital piece of info, the page being accessed. Note the

?file=%2Fetc%2Fpasswd


This should be a red flag that this file is a shell, even though it may not be named GNYshell on your server, it may be named something non suspicious such as post.php. Then we have some other info such as the referrer in this case http://localhost/GNYshell.php?act=cmd
From now you know who was accessing the shell, where the shell is etc.

Hope this was useful to you and you can use it to help secure your server.