rofenstein

I’ve been struggling with this one too, but might(!) have solved it.

Couple of days ago this popped up on my custom coded php website. I’m running on a windows server and integrated into my site are 2 copies of wordpress and 1 copy of phpBB. The only WordPress plugin running was akismet.

It seems to mainly infect files (see code in post above) with the prefix index, regardless of the extension. However, it did appear in login.php of phpbb.

Initially I thought this was an injection attack. So I removed all the hacked code from the infected files and upgraded to latest version of wordpress and phpBB.

We also have a custom form that uses a formmail script. I tightened up the validation on all the fields, and restricted the entry for fields to no more that 35 characters.

I thought this has solved it, until the next morning when it reappeared!

I then upgraded the formmail script, deleted any old files via FTP, changed ftp passwords and removed any other FTP users.

I also ran a spyware scanner on our server… Which is the key bit…
It picked up 2 trojans one of them being ‘advanced xp defender’.

So far (fingers crossed) we haven’t been re-infected.

I suggest that if you are having this problem that you:

• Remove all malicious code from infected files
• Upgrade to the latest version of wordpress/ other open source apps
• Change FTP passwords
• Upgrade plugins
• Disable plugins that use forms on the front end
• Delete any old files on your server
• Ensure any custom forms use validation and the latest scripts
• Get your host to perform a virus/spyware scan on their server

The spyware app I used was Spyware doctor from PCtools.

Hope this helps.