The two most common PHP injections you will find in most CMS like WordPress are:
Thankfully ClamAV can pick these up without issue but a lot of times they are legitimate files that have been injected so you cannot just remove them.
Thankfully again, the injections are lazy and simply get placed on the first line of the PHP script however, on that same line is the opening PHP tag for the actual script so doing a find and remove all for the first line will break your install.
Using the following command will search ALL PHP scripts for the injection and output the path+filename to a file named ‘infected’.
# for i in USER ; do cd /home*/$i/public_html/ ; find /home*/$i/public_html/ -type f -iname '*.php' | xargs grep -l 'sF=\|qV=' >> infected ; done
*Replace the 4th word USER with the actual cPanel username.
Once done, I normally go through some of the infected files to ensure they are indeed infected, then run the following:
# for i in `cat infected` ; do sed -i 1d $i ; done
This first line will go ahead and remove the first line of all the injected files, however this will also remove the opening PHP tag so to put that back in order to not break the script(s) we now run:
# for i in `cat infected` ; do sed -i -e '1i\<?php\' $i ; done
And you are back in business.
Please note, this in no way ensures that your CMS is now cleaned and it in no way prevents the intruder from getting right back in, you should also do a clean install of WP, reinstall plugins, themes, etc. We have an article written below to guide you on how to do that.