When a hacker / cracker compromises a website there is usually some malicious code inserted in html, php and other files. Usually cleaning it is a 5 minutes job 
In our case, we will assume the attacker has inserted the following string “<script> bla$%333%blablalalala </script>” at random lines inline in PHP files. Here is an example:
<?php
echo ‘Supa site blabla’; <script> bla$%333%blablalalala </script>
include(‘hackme.php’);
?>
No problem to clean this with sed and a simple regular expression:
find -name “*.php” |xargs sed -i ‘s/<script>.*blabla.*<\/script>//g’
First we find every php file and pass it to sed with xargs. Then sed looks for anything that begins with <script> has anything inside(.*), has blabla somewhere in the middle, again has anything and ends with </script>. The “/” has been escaped with “\” while .* means anything.
The above will work as long as you customize it for your case. You just have to change script’s opening and closing tags to anything else the attacker has used to begin and end his stuff.
In my experience I have come upon one problem with such cases. The attacker’s script left a blank line between or after his malicious code. When the malicious code is inserted at the end of a php file, this means that php files will have an empty line in the end after cleaning up the malicious code. Then you will get warnings such as “Headers already sent”. In this case we will have to delete the last empty lines from all php files using this sed string:
find -name “*.php” |xargs sed -i ‘${/^$/d}’
However, sometimes hackers / crackers play it hard and insert the malicious code over several lines. In this case sed would not help, because it processes the file line by line. The easiest solution is using this perl script:
$cat multiline-replace.pl
#!/usr/bin/perl
open(INPUT,”<$ARGV[0]“) or die;
@input_array=<INPUT>;
close(INPUT);
$input_scalar=join(“”,@input_array);
# Do your substitution here.
$input_scalar =~ s#\<\?php.*maliciouspattern.*\n.*\n.*?>\n##ig;
open(OUTPUT,”>$ARGV[0]“) or die;
print(OUTPUT $input_scalar);
close(OUTPUT);
First, the above has been copied almost literary from linuxquesions.org. There are two important things about it:
\<\?php.*maliciouspattern.*\n.*\n.*?>\n is the regular expression which matches (with the escapes):
<?php maliciouspattern ))
//I am a smart hacker, am not I ;P
?>
I have added an additional \n to the regex because otherwise it leaves a blank line
The next thing is that the script looks for the first argument from the standard input. So if you’d like to run the above on all *.php scripts recursively, you should do it like this:
for i in `find -name “*.php”`; do ./multiline-replace.pl $i; done
The above runs the script file by file. It might take a bit longer but it will not exceed the maximum length for a bash variable no matter how many files you have, nor it will cause too high load on the server.
If you make the mistake to leave an empty line in one of sed’s mutations, here is how to delete it:
sed -i ‘/./,/^$/!d’
Hopefully this helps you fight those bad people and make the world better 
Don’t forget to make backups because all kinds of crazy stuff happens
