Hackers hit my Dreamhost recently and infected over 80,000 files on my sites alone. I was able to manually remove a lot of the infected files on my own, but called in the big guns when I began to realize the scope of the attack. The inimitable Corwin Brust came over and pounded out some code (not completely on his own, I distinctly remember removing a backslash when the program refused to run) that automated the process. The sites are clean now—even rooted out a completely different hack on an old site! Passwords changed, apps updated…phew. Long evening.
Have attached the two programs we wrote to root out this particular problem. If you’re on Dreamhost and have any php files, you’ve probably been hit. Take a look at your php in a text program and if you see a big block of base64 encrypted code, run the two progs from the root directory. The first prog makes a backup then removes the code. Once you’ve ensured that your site is functioning normally, run the second one and it will remove the backups with the infected code on them.
The code: dehackify.zip