replacing all index.html files in a directory tree

Question

My shared hosting account with a number of websites was compromised. Some malware on my PC, which I probably got through downloading a PDF file, found all my FTP passwords and happily went about its business of inserting some code into all index.* files on the server. I now got rid of this malware, and I am ready to change all FTP passwords as soon as I have repaired the damage done.

I do have some backups, but not of everything and not all recent. So I thought the simplest and quickest way to restore everything would be to repair all index.html files in all folders. However, because I use Joomla where every folder has a index.html file to prevent directory listing, there are thousands of those files. So, I need to use an automated tool.

1. One option is to search and replace the inserted strings in all index.html files, but I don't think that will work because the strings are different across files.
2. Another option is to simply replace all content in index.html files by what I know should be the proper content.
3. A third option would be to replace all index.html files by a copy of what I know to be the proper file.

A bit to my surprise I haven't found a script yet that does option 2 or 3. I did find all sorts of programs or scripts that do part of the job (search&replace strings, recursively go through a directory tree, etc) but unfortunately I am not able to combine those into one working solution.

Preferably the solution would be a php or other script working on the server, so that I do not need to download everything and can do it using FTP and cPanel as my only tools.

From what I have researched, I am not the only victim of this malware. So a solution would also help other Joomla users. Moreover, if a solution would be able to work with custom filenames (e.g. index2.php) to be replaced by selected files as templates to be copied, anyone who falls victim using any sort of php file would be helped by a solution. Apparently an increase in the number of victims is expected.

Does anyone know of a php script that would be a solution for me, or would anyone be able to create one?

Assuming a solution is found, does anyone have a blog where it could be posted and found by others?

Many many thanks in advance!

PS I should note that the malware actually changes any file named index and apparently also default. But there are not many files with .php extension I can do those manually.

Answer 1

One of my friend has a similar issue sometime back and he has written a php script. Check this post out. Check if it helps you.

Answer 2

This sounds like a somewhat unusual set of circumstances to occur all at once so I'm not surprised that there isn't an existing solution to this problem.

3) A third option would be to replace all index.html files by a copy of what I know to be the proper file.

I think this is probably your best bet. This should take about an hour to write up in Python. Take a look at the os and shutil modules, particularly os.walk() and shutil.copyfile(). An example usage of os.walk() can be found here, since os.walk() can be a bit confusing when you're first learning it.

Alternatively, you could Paypal me $50 and email me a description of the file structures (both where you're getting the backups from and where they are going to) and I'll happily write the script for you. :)