I found a malware file uploaded on the server through WordPress’s file upload feature or something else.
And sooner, it spanned to multiple locations with different file names.
It had 4,325 bytes size and a md5 hash of f6500d327f40da301cbec3779e8e4103.
And further, I detected that it was running on the server via shell script as well and doing mischievous activities.
The cache in the shell and path were something like below in “ps aux” command list:
/usr/bin/php /home/PATH/wp-content/themes/NAME/cache/BADNAME.php
Now the problem is:
Can I list out the files that matches the given md5 hash? Because, even if the file was renamed, the hash should be same.
I want to remove them from the server scanning entirely.
A file hash is not going to matter one bit (nor will any file modification times as those can be faked). When a hacker compromises an account, they often stick other exploits in the account so if the main one is found they still have a way to get inside. Sometimes they will modify existing PHP files and stick a small section of code in it allowing them access. When your hosting account has been compromised, your best option is to delete all of your files under public_html and restore from backups you know are clean. Otherwise, you are going to have to manually examine every PHP file and see if there is malicious code in it. That’s not going to be easy with something like Wordpress.