About Removing Malware Scripts

I am working on a php website and it gets regularly infected by Malware. I've gone through all the security steps but failed. But I know how it every time infect my code. It comes at the starting of my php index file as following.

<script>.....</script><?

Can a开发者_开发知识库nybody please help me how can I remove the starting block code of every index file at my server folders? I will use a cron for this.

I already gone through regex question for removal of javascript malware but did not found what I want.

You should change FTP password to your website, and also make sure that there are no programs running in background that open TCP connections on your server enabling some remote dude to change your site files. If you are on Linux, check the running processes and kill/delete all that is suspicious.

You can also make all server files ReadOnly with ROOT...

Anyhow, trojan/malware/unautorized ftp access is to blame, not JavaScript.

Also, this is more a SuperUser question...

Clients regularly call me do disinfect their non-backed up, PHP malware infected sites, on host servers they have no control over.

If I can get shell access, here is a script I wrote to run:

( set -x; pwd; date; time grep -rl zend_framework --include=*.php  --exclude=*\"*  --exclude=*\^*  --exclude=*\%*  .  |perl -lne 'print quotemeta' |xargs -rt -P3 -n4  sed -i.$(date +%Y%m%d.%H%M%S).bak 's/<?php $zend_framework=.*?>//g'; date ;  ls -atrFl ) 2>&1 | tee -a ./$(date +%Y%m%d.%H%M%S).$$.log`; 

It may take a while but ONLY modifies PHP files containing the trojan's signature <?php $zend_framework=

It makes a backup of the infected .php versions to .bak so that when re-scanned, will skip those.

If I cannot get shell access, eg. FTP only, then I create a short cleaner.php file containing basically that code for php to exec, but often the webserver times out the script execution before it goes through all subdirectories though.

WORKAROUND for your problem:

I put this in a crontab / at job to run eg. every 12 hours if such access to process scheduling directly on the server is possible, otherwise, there are also more convoluted approaches depending on what is permitted, eg. calling the cleaner php from the outside once in a while, but making it start with different folders each time via sort --random (because after 60sec or so it will get terminated by the web server anyway).

1. Change Database Username Password
2. Change FTP password
3. Change WordPress Hash Key.
4. Download theme + plugins to your computer and scan with UPDATED antivirus specially NOD32.

Don't look for the pattern that tells you it is malware, just patch all your software, close unused ports, follow what people told you here already instead of trying to clean the code with regex or signatures...