It's a XSS exploit. It's simple to fix so don't panic
If you have access to your .htaccess file add the following to prevent it happening:
Code:
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [NC,OR]
RewriteRule ^(.*)$ ? [F,L]
If you have SSH you can hunt down modified files by:
Code:
grep -r "eval(base64_decode" *
I don't think I should post the infection PHP code here(obviously), but it will appear at the top of all the modified files, you will know it when you see it. Something like this:
PHP Code:
eval(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOw0KJG5jY3Y9aGVhZGVyc19zZW50KCk7DQppZiAoISRuY2N2KXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YT0kX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ107DQblahblahblahblahblahblah etc et etc etc"));
I'd also update to the latest version of PHP on your server(s) if you haven't already. Hope this helps
