I have been cleaning up a real bad mess on my server for the last week. After many days of removing and editing files that were injected added to the server I discovered all the htaccess files have been appended with the following:
ErrorDocument 404 whatever bad file.php
The whatever bad file above is the various location and file name for an infected file(s) we removed.
Since there are about 15,000 of these files infected and the whatever bad file is different for all of them, what is the best way to remove these lines from the htaccess files?
You can use grep to search and replace the files. Although, you might just be better off deleting all those .htaccess files.
grep -r -l 'Options -MultiViews' * | more
Will give you a list of the files. You can redirect this to a file or another command that will delete those files.
First, I would recommend that you determine how the compromise happened. Otherwise you might find that before you get all this cleaned up, you'll be re-infected with something else that might require even more work to clean.