I generally see these ftp inserts through a client side password stealer. First, find out where it is coming from (kindly ask your user to use SCP / SFTP in the future as well).
Now on to the cleaning, and hopefully my own domain doesn’t get picked up as as unsafe by google.
Here is my example from previous work on the example issue:
example showing what exactly is happening:
1) backup the file
cp index.htm index.htm.old
2) run script
cat index.htm | sed ':a;N;$!ba;s/\(\/\*\|\#\|<!--\)4d9f97\(\*\/\|\#\|-->\).*\(\/\*\/\|\#\/\|<!--\/\)4d9f97\(\*\/\|\#\|-->\)/ /g' -i index.htm
Coverts html comments and php/js comments, removing the text in between
* Always backup first, I’ve only tested this a few times.
* Normal IFS does not handle files with spaces in them.
* change 4d9f97 to whatever your comments are.
Full example on an entire directory:
cd /home/username tar -zcf public_html.tgz public_html cd public_html OIFS=$IFS IFS=" " for i in `grep -lri 4d9f97 .`; do cat "$i" | sed ':a;N;$!ba;s/\(\/\*\|\#\|<!--\)4d9f97\(\*\/\|\#\|-->\).*\(\/\*\/\|\#\/\|<!--\/\)4d9f97\(\*\/\|\#\|-->\)/ /g' -i "$i"; done IFS=$OIFS;
Credit to InterServer sysadmin Detain for the sed work.