Somehow hardening for FTP is difficult, FileZilla FTP Server is not harden well enough and prone to bot injecting Photo.scr for bitcoin mining. This is the way to remove the iframe code

cleanPhotoscrMalware.php

<?php
/**
 * Run it as root/administrator, just php cleanPhotoscrMalware.php
 * Clean to target the stupid Photo.scr miner, for it to work, note that its searching for CRLF
 *
 * The real infectious code look like this as below:
 * 
 * <iframe src=Photo.scr width=1 height=1 frameborder=0>
 * <\/iframe>
 *
 * Would be best to turn off the FTP server, even password protected seems not hardening.
 */

foreach(rglob("*.php") as $virusFile){
    $withVirus = file_get_contents($virusFile);
	
	
    $withoutVirus = preg_replace('/<iframe src=Photo.scr width=1 height=1 frameborder=0>
<\/iframe>/', '', $withVirus);
    file_put_contents($virusFile, $withoutVirus);
}

function glob_recursive($pattern, $flags = 0){
  $files = glob($pattern, $flags);
       
  foreach (glob(dirname($pattern).'/*', GLOB_ONLYDIR|GLOB_NOSORT) as $dir){
    $files = array_merge($files, glob_recursive($dir.'/'.basename($pattern), $flags));
  }
  
  return $files;
}

function rglob($pattern, $flags = 0){
// forked from https://github.com/rodurma/PHP-Functions/
    // blob/master/glob_recursive.php
  $files = glob($pattern, $flags);
  
  foreach (glob(dirname($pattern).'/*', 
    GLOB_ONLYDIR|GLOB_NOSORT) as $dir){
    $files = array_merge($files, glob_recursive
        ($dir.'/'.basename($pattern), $flags));
  }
  return $files;
}