PHP regex to fix hacked Wordpress site

Question

I have a client that has multiple Wordpress installations, which he didn't keep up to date. As a result, he got hacked. While I try to find how the hackers got in, and fix the problem permanently, I'm trying to create a script to fix them quickly, automatically.

I found this script, which does what I want: http://designpx.com/tutorials/wordpress-security/

It automatically removes the <?php eval(base64_decode("aWY..."); ?> from every php file, but the regex it's using to do this, removes also <?php get_header(); ?> if it follows the malicious code.

So, what I want is to change it, so it only removes the malicious code, but not the first line of php code as well. Here's the part of the script that does the replacing:

find $dir -name "*.php" -type f \  
|xargs sed -i 's#<?php /\*\*/ eval(base64_decode("aWY.*?>##g' 2>&1

What would I have to change, so it stops at the first ?>, and not at the second?

Note: I know this is a quick, temporary fix, but it will do until the client makes up his mind about which sites he wants to fix, an which to erase.

Answer 1

1. Backup database and themes.
2. Remove WordPress.
3. Remove any suspicious files.
4. Install newest WordPress.
5. Keep new WordPress files write protected
6. Slap so-called "administrator" for not updating on time.
7. Profit.

No need for some crazy scripts and whatnot. Hacks on PHP cannot work unless the file is infected. Removing it solved the problem.

And yes, it's possible to do even if you have multiple wordpress installations on the same server (WHY?!).