I'll confess. I am not a BASH scripter although I am trying to learn in my "spare time." LOL. All of our servers got hit with the vulnerability. It was responded to as soon as Parallels sent the vulnerability email but it was too late.
I have determined the code that is attached at the bottom is the beginning of the hacked malware page as:
I know that it is possible to grep for the string starting in /var/www/vhosts/ but what would a search and replace look like to scan all sites on the server, if found delete the line, and then move on to the next site?
This would be a wonderful tool that I am sure others may use. We've had everyone change their passwords long ago but the damage is still in place. It didn't help that Parallels didn't fix it the first time.
Please -- a scriptlet would be most appreciated