more and more people, including some of my clients get attack by various versions of iframe injections.

One of them, includes injecting a php file inside the host. after that, by various means, in all the htaccess files it’s injected a code similar with:

AddType application/x-httpd-php .php .phtml .php3 .php4 .php5 .htm .html
php_value auto_prepend_file /path/xxxx_atacking_file_which_has_php_code


now to remove that code from each htaccess file use the following php code:

function r_fix($dir='.') {
	if ($handle = opendir($dir)) {
		while (false !== ($file = readdir($handle))) {
            if (is_dir("$dir/$file")) {
                if ($file != '.' && $file != '..') {
                    r_fix("$dir/$file");
                    //chdir($dir);
                }
            } elseif ($file=='.htaccess'){
				$path = $dir . '/' . $file;
				$contents = file_get_contents($path);
				if(strpos($contents, 'xxxx_atacking_file_which_has_php_code') !== false) {
					$contents = str_replace('AddType application/x-httpd-php .php .phtml .php3 .php4 .php5 .htm .html', '', $contents);
					$contents = str_replace('php_value auto_prepend_file /path/xxxx_atacking_file_which_has_php_code', '', $contents);
					echo $path." 
\n ";flush();
					file_put_contents($path, $contents);					
				}
			}
		}
		closedir($handle);
	}
}

r_fix();