Look for any outbound port 80 connections with:
lsof -i :80
You will see your own apache server in that list too, but keep an eye for other stuff.
usually, attacks like this are very obvious in the output of:
ps faux
If you see suspiciously named user processes, use:
lsof -p $PID
find ./ -ctime -10
To find *.php files that have been modified between two periods in time:
find . -name '*.php' -newermt 2014-08-27 ! -newermt 2014-08-30
Find and remove *.php files (for example in a folder they do not belong in like your uploads folder). Warning! Dangerous! Make sure you are in wp-content/uploads folder first!
find . -name '*.php' -exec rm -rf {} ; Or if you want to run this in the root of several sites:
find . -name '*.php' | grep "wp-content/uploads" | xargs rm
One of the hacks I've found ran '/usr/bin/host/ preloading a hacked library. Nasty (but creative) stuff. I used this command to find all PHP files that were containing '/usr/bin/host' string:
grep -ri --include=*.php "/usr/bin/host" ./
Sometime you need to find out what a certain process (that is taking too much CPU for example) is doing?
strace -p PID This will filter it to open and close system calls, increase the output message length to 80 chars and dump output to a file.
strace -e open,close -s 80 -o log.txt -p PID