The vast majority of websites are built on top of existing platforms such as Wordpress , Joomla and Drupal .

Sometimes, because of the use of an older version of the platform (Drupal for example) or because of certain plugins used (or insecure code), these sites can become vulnerable to attacks and might eventually be compromised.

In the post-attack phase, there may be malicious files present, and those need to be cleaned up.

This post will focus on determining provenance of PHP files, and performing static analysis on PHP code to assess if it presents a risk.

The code in malicious files may contain function calls like this eval/*random string*/(arguments) , which is valid PHP syntax, but many of these atypical code fragments are present especially in obfuscated code so using regexes to find function calls can be complicated and prone to error.

A regex approach is unlikely to be aware of the code structure and might return false matches.