php file automatically renamed to php.suspected

Question

Since last 4 days, we are facing strange issue on our Production server (AWS EC2 instance) specific to only one site which is SugarCRM.

Issue is /home/site_f

Answer 1

The renaming of .php files to .php.suspected keeps happening today. The following commands should not come up with something:

find  -name '*.suspected' -print
find  -name '.*.ico' -print

In my case, the infected files could be located with the following commands:

cd 
egrep -Rl '\$GLOBALS.*\\x'
egrep -Rl -Ezo '/\*(\w+)\*/\s*@include\s*[^;]+;\s*/\*'
egrep -Rl -E '^.+(\$_COOKIE|\$_POST).+eval.+$'

I have prepared a longer description of the problem and how to deal with it at GitHub.