This is very useful for locating files that have been uploaded using an exploit and are still owned by the nobody user.
The below command will search all user document root for files owned by nobody and display them on the screen.
This is one of the most likely location of uploaded nobody files but its possible for files to be outside this directory.
find /home/*/public_html -user nobody -print
The below command will search and delete all files in the users document root that are owned by the nobody user. It’s recommended you just do a find first, then if it’s clear run the below command:
find /home/*/public_html -user nobody -print | xargs rm
To delete folders owned by nobody user too, use:
find /home/user/public_html -user nobody -print | xargs rm -Rf