Hi,
sorry for bothering, I've tried to search on the forum and with Google but I haven't found anything useful; I believe it's just me that can't put 2 and 2 together.
Long story short: someone hacked my hosting space and added this code: http://pastebin.com/wqrLXUG4 in the first line of all text files (i.e. .php and not only), and I'm trying to find a way to remove it with a bash script without having to manually check every single file in my web space.
What I'd like to achieve is to run this script in the root folder of my account and make it delete this code from all text files in all the various folders and subfolders.
Unfortunately, that code is not the only thing in the first line, since it's simply appended before the text of the actual first line of the file, so I can't just remove the first line from every text file, otherwise I'll delete the good code in the first line of the file, too.

I've never really understood the syntax for regexps and I've little to none knowledge of bash scripting, so I really need a help with this, thanks.

It would be better to replace the files from local copies. Also, determine how you are vulnerable. Permissions, remote file inclusion, configuration errors, etc.

A post at the top of the LQ Security forum has a link to a check list you should read, about how to procede investigating the breach, and securing your site.

If you wish to just delete the line your sed could also be:

Maybe you meant
sed -i '/pattern/d'
or
sed -i '1d;2q'
But that would delete the entire line when the url was prepended to an existing line.

oops ... my bad .. I simply thought the 2 might go together, ie. only look at the first line and delete if it matches the pattern. My thinking was, as opposed to your second suggestion
which might remove the first line from an unaffected file, to combine the two and delete ... obviously (now that I tested it) that does not work

Sorry OP ... ignore me ... the missus does when I am daft

mmm... I'm not sure I've understoond this. I've replaced PATTERN with the code string, but I get an error, something like (it's in Italian, I'm translating):
sed: expression -e #1, char 7318: Previuos regular expression not valid

which part of your code should I actually replace with the code string of the hack?

I know, and I'll surely investigate and probably replace the files, but until I find the time, I think this can be a good solution. Delete that code everywhere, and then make a search everywhere with grep of find to see if something have been left behind.

For the others: thanks, but as I said I can't just delete the first line entirely.

Could you post sample text in [code] blocks and disable url parsing in the options? The & symbol for instance is a meta-character which needs to be escaped.

Copy one of the files and test your sed command on it before usng it on the server.
Because urls contain slaashes, I used hashes instead. Nearly any pair of characters will work. If the url contains a hash, escape it or use something else..

I'd rather not put the sample on the forum, basically because it's very long and I don't want to mess up the thread. Anyway, you find an example of a hacked file here: http://pastebin.com/uV6JXNVb
There are no hashes or ampersands on the hack code.

Just to be more clear, what I've done is to replace your PATTERN (not the hashes, too, just PATTERN) with everything between the first <?php ?> tags, tags included.

hmmm ... obviously something else I missed

Looking at the example, how about:

grail: it looks like it's working, thanks!