How to scan for infected web pages
Here are some common pattterns to look for when scanning web pages for compromised files. All except the last one create a file where the line is executed called maybeinfected. You can go through each file and find and remove injected code. It is typically packed garbled text that hides the code because it is usually obfussicated or encoded to avoid detection.
find . -name '*.php' | while read FILE; do if grep '$GLOBALS' "$FILE"; then echo "$FILE" >> maybeinfected; fi ; done
find . -name '*.php' | while read FILE; do if grep 'eval(base64_decode' "$FILE"; then echo "$FILE" >> maybeinfected; fi ; done
find . -name '*.php' | while read FILE; do if grep '''PCT4BA6ODSE_"$FILE"; then echo "$FILE" >> maybeinfected; fi ; done
Automatically delete any that match a pattern:
find . -name '*.php' | while read FILE; do if grep 'PCT4BA6ODSE_' "$FILE"; then rm "$FILE" -rf; fi ; done