Recently, we had a customer that was a victim of an iframes attack. The attacker placed some 4600+ files in the public_html/ directory and altered some 4600+ files within the public_html/ directory. We wrote a script to delete all the injected files but that still left some 4600+ files that were altered by the cracker that needed to be tended to.
Initial thought was to replace the altered files, but the attacker only appended two lines of code to each file that was altered. Since only two lines code were appended to the altered files, I went on the hunt for a script that could perform a “find and replace” on all the altered files. While searching for a script, I ran across this nifty little site, www.website-security.info (link no longer valid).
These guys have a great little “find and replace” script, which is located here SCRIPT (link no longer valid)
Give these guys a look see, they also have a neat little script that checks for back doors called “Malicious Code Finder”. The MCF can be found here SCRIPT (link no longer valid)
Anyway, look these guys up. I recommend their site.