On Thursday 04 December 2008 13:58:20 Julien Cigar wrote:
> the following should work :
> $ find /home/horbury -type f -print0 | xargs -0 grep 'base64_decode'
>  or :
> $ find /home/horbury -type f -exec grep 'base64_decode' {} \;

+ not \; or you will fork on every result.

Additionally, is this injected code one long string or broken down by the 
mailer? Grep isn't the best way to deal with it. It's pretty easy to correct 
with perl, bit trickier if it's multiline, still not too hard:

find /home/horbury -type f -exec \
	perl -pi.bak -e 's,<\?/\*\*/eval\(base64_decode\(.*?\?>,,s' {} +

The originals will end up as filename.php.bak.

