My PHP website has been hacked

Malicious parties usually gain access to the hosting account via a vulnerability in the PHP code, which is why it is important to regularly update your CMS to the latest version.

After a successful access attempt, usually (spread out over a longer period of time) more and more files are modified.
This provides the hacker a higher chance that a backdoor will remain on the server.

There is a real chance that hackers got into your config file and thus also got hold of your database data. This includes the database password and possible the passwords stored in the database as well.

Restore website completely

The best solution after a hack is to completely empty the account and upload a new clean copy of your website uploaded. This is the only way to guarantee that all infected files are gone.

Scan for infected files

If it is not possible to restore a clean copy, you can do some searches for possible malicious code. This is a time-consuming process that offers no guarantees.

Log in via SSH and run the code below:

find . -type f -name '*.php' | xargs grep -rilE '(PCT4BA6ODSE|return base64_decode|GLOBALS.*.*return|return@is_object)' --color

Alternatively, you can also try the one below, however, this one has quite a lot of false positives:

find . -type f -name '*.php' | xargs grep -l "eval *(" --color