Btw, if anyone want to search their files for this infection, you can search for a number of things.
1. The eval(base64... statement.
Code:
find . -name "*" -exec grep "eval(base64_decode(" -l {} \;
2. The id of the divider surrounding the links, though this is likely to be changed periodically by the attacker.
Code:
find . -name "*" -exec grep "myDiv412" -l {} \;
3. dc.write statements responsible for hiding the dodgy links.
Code:
find . -name "*" -exec grep "dc\.write(" -l {} \;
4. Some of the text in the block of dodgy links, though when I tried this it didn't return all infected files because the links varied.
Code:
find . -name "*" -exec grep "mind in love saying" -l {} \;
Note: These commands will search recursively from the current directory in all files. It could take some time. You could change the command to search the public_html directory in all html files by changing the command to the following (using example 1):
Code:
find public_html -name "*.html" -exec grep "eval(base64_decode(" -l {} \;