Search for index.php and index.html and replace string

one easy way to do this is by using find and grep, plus perl to do the edits.

first, construct a list of filenames that have been compromised:

find /path/to/web/site -name 'index.htm*' -o -name 'index.php' -print0 | \
  xargs -0 grep -l 'iframe src.*fabujob\.com' > /tmp/compromised-files.txt

next, use perl to edit the files and remove the exploit:

cat /tmp/compromised-files.txt | \
  xargs -d '\n' perl -n -i.BAK -e 'print unless m/fabujob\.com/i' 

(yes, for the UUOC pedants out there, that is a Useless Use of Cat, but it makes the example easier to read and understand)

that will delete every line containing the string "fabujob.com" from each of the compromised files. It will also keep a backup of each file as filename.BAK so you can easily restore them if something goes wrong. you should delete them when you no longer need them.

this perl script is based on the sample you gave which appears to indicated that the attack added an entire line containing the exploit, so this script prints every line EXCEPT those containg the exploit's URL. if that's not actually the case, then you'll have to come up with a more appropriate script :)

this is a generic technique that you can use to make any automated edits to a batch of files. you can use any perl code to do the job, and perl has a huge swag of text manipulation capabilities.

BTW, when doing this kind of work, ALWAYS make a copy of the entire directory tree involved and work on that first. that way it doesn't matter if you screw up the perl editing script...just rsync the original back over the working dir. once you've got the script exactly right, you can then run it on the real files.