How to find list of php files being run on my web server

AgA asked:

Mine is Ubuntu VPS and all my sites are CMS based(Drupal, WordPress etc) which run thru index.php.

My account has been hacked several times using some exploits by placing a php files and executing it. Those hackers aren’t destructive but want to silently misuse my account by redirecting to different URLs in Google or sending spam all silently.

So I just want to see list of php executables being run in Web server account(www-data) once in a day or month. Is there a way?

I know one by reading the Apache access.log files and using the HTTP code 200 to find such files.

Is there any better way?

(I hope Serverfault is the best place to ask this question, otherwise I’ll delete and post it at any other place)

My answer:

I don’t think you want to find all the PHP files, just the malicious ones. Linux Malware Detect is a good tool for this.

Of course, what you really should be doing is securing your server. Keep everything up to date, remove unnecessary modules/plugins, harden WordPress and Drupal, etc.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.