rm-malware.sh

#!/bin/bash
#
# This script remove malware of PHP files.
# Remeber to change \u002F\u0069\u006E\u002E\u0063
# With the string in your files.
# remember to escape the \ with \\\\ and run again this removal script.
#
# Usage
# Check for infected files
# ./rm_malware.sh /var/www/wp_path/
# Cleaninfected files
# ./rm_malware.sh /var/www/wp_path/ clean

if [[ -z "$1" ]]; then
  echo "Directory where to find is required."
else
  grep -rnwl $1 --include \*.php -e "\\\\u002F\\\\u0069\\\\u006E\\\\u002E\\\\u0063" | while read -r filename ; do

    if [[ ! -z "$2" ]]; then
       echo "Found file $filename. Cleaning..."
       awk 'BEGIN {matches=0} matches < 1 && /1/ { sub(/^.*<?php/,"<?php"); matches++ } { print $0 }' $filename > $filename.purged
       mv $filename $filename.bck
       mv $filename.purged $filename
    else
      echo "Found file $filename."
    fi

  done
  echo "Done."
fi