For my particular case, the hack was appending a simple line to all PHP files.
Since the pattern was easy to recognize and sniff (and unique enough that I was able to zap it without doing damage to my other files), I used find and sed to delete that line from all files
find . -name "*.php" -type f -exec sed -i '/eval(base64_decode(/d' {} \;
PLEASE BACK UP YOUR FILES before you use this command, it WILL modify all your PHP files.
In some cases like mine, where the sites I’m cleaning could have been recreated without too much hassle, and the db is backed up elsewhere, this method may be useful to others, so I’m dropping it in here.
