Grepping for LizaMoon infected website files

The Liza Moon attack targets Microsoft SQL Server installations injecting javascript tags into website files. Although we are primarily using Unix/Linux servers I performed some scans using the following to check for lizamoon infection:

find . -type f -exec egrep “\<script src=http\:\/\/.*\/ur\.php” {} \;

On Windows Server I used Powershell and the following command:

Get-ChildItem * -Recurse | Select-String -Pattern ur.php