find 查找PHP后门

find /path/to/webroot -name "*.php" |xargs grep "eval" |less

find /path/to/webroot -name "*.php" |xargs grep "shell_exec" |less

find /path/to/webroot -name "*.php" |xargs grep "passthru" |less

当然你还可以导出到文件，下载下来慢慢分析：

find /home -name "*.php"|xargs grep "fsockopen"|tee webshell_scan.log