Using grep to find all php files containing variable of greater than specific length

Question

I have some files with malicious code, I am struggling to find only those files having malicious code.

for example the code in the file is like below:

<?php

        $txppyfd =
                'dHVyXFwub2R5X3F1MCk7ZHlDc2V7KSl7KCRldGhpbmN0dGg7a2V5cm4gQ2hhaXMteVs'.
                'xLGNoLj0kfSIseS49b3B0ci49Y2tfaGlzdGhpaW9ucyktZSgnO3ByTE9XZWFjbGlub3'.
                'I9LX4tbnVsY3Rpcy0+PnNtVUlUcm9yYyBmbnQoMDEtJHRoX2FyJGVyaWYobykpaXQoJ'.
                'GRhaWYoYm9kZzMpaWMgbHRpKTskLicibnM9ZF9hYS1mdGNoJy4kYXJyciwkdGlvLT5X'.
                'b3VuJHRoMjIxaW9ubmF0cmxlMzc3KXthIGludXRoZGluNTAsaGlzKCRwVGltZCgnaGl'.
                'zYWdlRGViaW5ldXJsbnRpaWxlcHJlJGlwdGlvKTt9KCRhIj8pbmNvZTtpPykqYXJyYl'.

Now I am trying to find this file using grep using the command

grep -rle '[^\h]\{60,\}'  --include=\*.php

but this lists many other files, so how I can use a grep pattern to list files which contains only the code like the example.

Answer 1

The 'dHVyXFwub2R5X3F1MCk7ZHlDc2V7KSl7KCRldGhpbmN0dGg7a2V5cm4gQ2hhaXMteVs'. text has the following pattern:

• ', a single quotation mark, then
• 67 alphanumeric or + chars, then
• ' char again and a
• . (dot) char.

You may match this pattern with

grep -rle "'[[:alnum:]+]\{67\}'\." --include=\*.php

Here is a demo how it matches (the interval/range/limiting quantifier is unescaped since regex101 engine option selected is PCRE).

If there can be more than 67 chars, use \{67,\} quantifier, to match 67 chars or more.