One of my Joomla websites got hacked the other day. Yes, I still have one or two Joomla websites. The end result was one line of malicious code placed on the first line of every php file in that website directory. Being that it had a lot of components there were around 1,051 files that had been modified. Even worse was that it had been infected about 15 days ago and I keep about 12 days of recurring backups on that server so my backups were gone. It either hadn't been reported or didn't show it's face until this week.
Linux has tons of commands that will do searches and modify files accordingly, it took two lines of code and about 8 minutes to fix this which amounted to searching several directories down and finding the files that had a certain string, then running a command to delete the first line of each file. Now being honest, it did take me an hour to research this and come up with solutions. I'm hoping I never need to do this again, but I'm posting this so I can reference it the next time.
Oh, one warning, be very careful with the second command, I was testing this on backups of my infected site and got it through some trial and error, but there was one time where I ran the command twice by accident and it went a step further and deleted one more line which in turn messed the files up.
First you have to have a common string to indentify the files so you know they have the problem. In my case the beginning of the code was the same in every one of the files that had the problem.
I used the grep command to make a text file with my problem files. Run this from the root of your website, etc.
grep -lr "Your String" . | cat > foofile
That produced a text file with all the suspicious files. Then the following command will parse that text file and remove the first line of each file which was my problem.
cat foofile|xargs sed -i '1d'
If you want to be sure that you got it you can run the grep command one more time and view foofile to see if there are any more entries.
Update:
I recently had to add a line to the top of several files after I had just removed the first line. Basically, I had a foofile (see above) that listed my files that grep'd the string. I ran the following commands:
This one deletes the first line from all the files:
cat foofile|xargs sed -i '1d'
This one adds the text in as the first line.
cat foofile|xargs sed -i '1i <?php'
