I recently discovered that a number of sites of mine were considered unsafe by Google, Firefox, Yandex … The reason was they had detected malware being served to visitors of the site. I checked a bit further and I discovered it was the Mal/Badsrc-M – Troj/PHPShll-B trojan. In each of my (WordPress and other) PHP files, the first line had been changed to

<?php /* */ eval(base64_decode("...(bad stuff)"));?><?php ...
The file is easy to clean up: you remove the eval statement and that’s it. Only, on this server several hundreds of PHP files (WordPress, MediaWiki, …) were affected. So I made a script to go through all of them and clean up. It uses the fact that

  • the whole injected statement is on 1 line
  • no ‘decent’, trustworthy program uses eval(base64_decode(" ... ")) in its PHP code
  • it moves the second <?php to the second line and then removes the whole first line

So if you have the same problem, use a bash script like this and run it in the root of all your websites: