Update: It seems a new version of the attack has been made using the .htaccess files. So, this guide might be outdated.
Anyways, I did a little searching around. Seems that every single PHP file of mine was appended with the cheesy base64_encode’ed code.
My crappy webhost doesn’t provide SSH Access. I couldn’t use my favorite command line. So, had to write some PHP code. Though it’s not the most efficient script, does the job well.
Ok, Here’s how you get rid of it.
1) Extract and upload this to your root directory.
2) Open one of your PHP file, on the top you’ll have a code similar to <?php eval(base64_decode(‘shit’)); ?>, copy and paste it into the ‘replace.txt’ file.
3) Open yoursite.com/replace.php. It’ll take a few minutes. Scroll down, it would’ve replaced the malicious code.
And oh, you need to have File_SearchReplace PEAR package installed on your host for this script to work.
Also, Sucuri says that these website also do the same crap.