Recently we had a customer that was the victim of an iframes attack. The attacker placed some 4600+ files in the public_html/ directory and altered some 4600+ files within the public_html/ directory. We wrote a script to delete all the injected files but that still left some 4600+ files that were altered by the cracker that needed to be tended to.
Intial thought was to replace the altered files., but the attacker only appended two lines of code to each file that was altered. Since only two lines of code were appended to the altered files I went on the hunt for a script that could perform a “find and replace” on all the alterted files. While searching for a script I ran across this nifty little site. www.website-security.info
These guys have a great little “find and replace”, script located here SCRIPT
Give these guys a look see, they also have a neat little script that checks for back doors called “Malicious Code Finder.” The MCF can be found here SCRIPT
I ran the MCF on several boxes I admin and the results were very interesting to say the least.
Anyway, look these guys up, I recommend their site.