+2  A: 

Simplified solution, assuming that all virus code is on a single line:

find /www/directory -name '*.html' -o -name '*.php' -exec perl -i -ne 'print unless /getrelax4you\.com/' '{}' \;

Short explanation: visit all files under /www/directory with html or php extension. Use perl to edit each file in place by copying all lines verbatim to output, unless they contain string "getrelax4you.com"; which are removed.

Caveat emptor! Make backup before trying this; i might have missed some small detail.

zvrba  2010-06-23 19:21:46
I'm not a perl hacker, so forgive me if this is stupid, but wont this just remove the "getrelax4you.com" part?
Andre Artus  2010-06-23 19:33:02
No, it won't, it will remove the whole line if it matches the given pattern.
zvrba  2010-06-23 19:37:05
Perhaps something like this? perl -pi -w -e 's!<iframe(\s*\w+\s*=\s*'[^']*'\s*)*src='http://getrelax4you[^']*'(\s*\w+\s*=\s*'[^']*'\s*)*>!<iframe src="">!simg;' *.php
Andre Artus  2010-06-23 19:43:09
What if that line is in the has text you dont want to remove?
Andre Artus  2010-06-23 19:43:54
@Andre: IMHO, overengineering. It is likely that the whole domain (getrelax4you.com) hosts malware and that no legitimate link on the original pages points there anyway.
zvrba  2010-06-23 19:45:02
I agree with your assessment re. the domain. I just think it would be prudent to target the offending tag specifically. It is possible that the tag resides on its own line, but it's not guaranteed. I don't know whether the preinfected code had iframes in it or not, and if the iframe tag encloses legitimate markup. If the whole tag (begin and end) was injected by the virus then I would modify the regex to remove all the offending code.
Andre Artus  2010-06-23 20:15:50
@zvrba: That's not overengineering, this is overengineering(:D): s!<iframe(\s*\w+\s*=\s*('[^']*'|"[^"]*")\s*)*src=('[^']*getrelax4you[^']*'|"[^"]*getrelax4you[^"]*")(\s*\w+\s*=\s*('[^']*'|"[^"]*")\s*)*>((.*?)</iframe>)?!!simg;
Andre Artus  2010-06-23 20:25:08
There is nothing after that line. And the now I realize that code is missing after it. It truncated the remaining code. Not good.
 2010-06-24 11:16:11
@Mikenicee: You do keep backups, right?
Andre Artus  2010-06-24 19:47:57
+3  A: 

Your server has been compromised, simply restore the site files on to a clean server, from your source code repository.

Fixing any user data up may be more tricky, you can no longer trust the contents of your db, so you have to be very careful. Better luck next time.

MarkR  2010-06-24 05:52:55
+1 - never trust damaged server
Artyom  2010-06-24 05:58:54
+1 - I actually wanted to answer that, but giving a perl one-liner was more fun ;)
zvrba  2010-06-24 06:07:01
@Zvrba: Doing anything in perl is going to be a lot more fun :)
Andre Artus  2010-06-24 19:49:24

related questions

grep a file, but show several surrounding lines?
VMWare Server Under Linux Secondary NIC connection
Should I move from C++ to Python? ... Or another language?
Globus Toolkit virtual machine
How to avoid redefining VERSION, PACKAGE, etc.
How do I setup Public-Key Authentication?
showing a message box from a bash script in linux
Best Linux Distro for Computer Repair
Mapping my custom keys in Debian
Any IcedTea war stories?
How do you find the age of a long-running Linux process?
Personal Linux web server
Programmatically talking to a Serial Port in OS X or Linux
what's in your .bashrc ?
Linux - files and scripts that execute on boot
Text Editor For Linux (Besides Vi)?
Lightweight IDE for Linux
Shell scripting input redirection oddities
XML Editing/Viewing Software
What should a longtime Windows user know when starting to use Linux?
Gtk SSH client for Linux?
Getting root permissions on a file inside of vi?
Is it possible to drag windows between workspaces when using Compiz?
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?