findbot.pl malicious files on server

Written by Peter Davies on .

This is useful: http://cbl.abuseat.org/findbot.pl

This script attempts to find malicious files/scripts on your machine. It specifically looks for spambots that we're aware of, as well as "suspicious" constructs in various scripting languages.

root@server:~# ./findbot.pl /home
/administrator/components/com_media/controllers/file.php: Suspicious(base64_decode): tRedirect(base64_decode($return).
/administrator/components/com_login/models/login.php: Suspicious(base64_decode): $return = base64_decode($return);

Most other ones discovered are false-positives but all the same it is very helpful to know where the known suspicious commands are used within your web applications.