I generally see these ftp inserts through a client side password stealer. First, find out where it is coming from (kindly ask your user to use SCP / SFTP in the future as well).
Now on to the cleaning, and hopefully my own domain doesn’t get picked up as as unsafe by google.
Here is my example from previous work on the example issue:
example showing what exactly is happening:
cat index.htm | grep 4d9f97
VIRUS GOES HERE
1) backup the file
cp index.htm index.htm.old
2) run script
cat index.htm | sed ':a;N;$!ba;s/\(\/\*\|\#\|<!--\)4d9f97\(\*\/\|\#\|-->\).*\(\/\*\/\|\#\/\|<!--\/\)4d9f97\(\*\/\|\#\|-->\)/ /g' -i index.htm
diff index.htm index.htm.old
Coverts html comments and php/js comments, removing the text in between
* Always backup first, I’ve only tested this a few times.
* Normal IFS does not handle files with spaces in them.
* change 4d9f97 to whatever your comments are.
Full example on an entire directory:
tar -zcf public_html.tgz public_html
for i in `grep -lri 4d9f97 .`; do cat "$i" | sed ':a;N;$!ba;s/\(\/\*\|\#\|<!--\)4d9f97\(\*\/\|\#\|-->\).*\(\/\*\/\|\#\/\|<!--\/\)4d9f97\(\*\/\|\#\|-->\)/ /g' -i "$i"; done
Credit to InterServer sysadmin Detain for the sed work.