detecting hacked CMS scripts

    I already search a soft that could handle it for free, but didn't found it.


    So, the only way I know is to search several little script on the web to look at an home made solution.
    I don't have the time for it now, but I was thinking to a little personnal project that will:
    - Scan /var/www/virtual/* and search for any know file (which contain the version of the CMS). If the CMS keep its version in the DB, a global search in it will need to be added.
    When the scan is done, it compare all the collected version with a DB that will contain all the actual version of the CMS, if a newer is present, we will know it and can forward the information to the customer to make an update.
    We also can imagine that this tool can suspend a domain after X days if the user didn't update its CMS.
    - Set a "local relay" (a perl script) that will act as a "relay" for mail incoming from Apache/PHP. Here, the purpose will be to limit the number of outgoing mail from a domain basis. For exemple, 5 email maximum per minute.


    After, I didn't think to other functionality, have to think about it.


    But to know if a CMS is "infected", I don't think we can find it. Only a real-time analysis of the log can help on that, if suspicious injection are detected from the website (downloading a file to the server and then the file is called).
    Most of the time, those hack :
    - set a kind of relay for spam, using the hacked PHP site to use the mail server for sending it => Here come my solution about the limit of email sended. A warning can be sent to the admin to know that this is not normal.
    - download the phishing site and extract it somewhere. => Here, a directory "snapshot" can be made each day, and when something get different, a report is sended, but as I know, too much reports is useless as we don't read them 1 or 2 weeks later xD

    found some stuff with:

    Code
    1. grep -lr --include=*.php "eval(base64_decode" /var/www/virtual


    Code
    1. /_include/twg_zip.class.php
    2. /bnpariba(1).php
    3. /gooo/mailer1.php


    but it's hard to find malicious PHP and JS scripts which are included as a GET command in backdoored Joomla, WordPress etc.
    I need something to search for nulled templates or plugins from nulledstylez.com, dailynulled.com sites ...