WeWatch - 1:01 pm on Dec 15, 2009 (gmt 0)

You have a number of good answers here.

First, your site was probably "hacked" originally by using a valid FTP username and password. This was stolen from a PC with FTP access to your website. The virus works in a variety of ways.

First, it knows where many FTP programs store their usernames and passwords (login credentials). When the virus infects a PC that's the first thing it looks for. Many of them store the login credentials in plain text in a file. This scenario is detectable by looking at the FTP logs. There will be strange IP addresses using valid login credentials and uploading the files you find infected.

The virus steals the login credentials and sends them to a server which carries out the infection of websites.

Second, the virus is also sometimes a keyboard logger. It waits until you type in the login credentials after executing your FTP program, records the details, sends them to a server and blah, blah, blah... This will also show evidence in the FTP log files from strange IP addresses.

Third, the virus also "sniffs" the FTP traffic leaving the infected PC. Since FTP transmits all data, including login credentials, in plain text, it's easy for it to see the details, steal them and, well you get the picture. Again, evidence in the log files.

The other way we've seen is that the virus will inject the malscript into the outgoing FTP data stream as it's leaving the infected PC. So the file on the PC looks fine. By the time it's received at the webserver, it's infected. No apparent evidence in the log files as the traffic is generated from a valid PC.

The redirects you're getting are more than likely from an infected/modified .htaccess file. These .htaccess files work in top-level way. So look at all .htaccess files on your website.

You might see something like:

RewriteCond %{HTTP_REFERER} .google. [OR]
RewriteCond %{HTTP_REFERER} .ask. [OR]
RewriteCond %{HTTP_REFERER} .yahoo. [OR]
RewriteCond %{HTTP_REFERER} .excite. [OR]
RewriteCond %{HTTP_REFERER} .altavista. [OR]
RewriteCond %{HTTP_REFERER} .msn. [OR]
RewriteCond %{HTTP_REFERER} .netscape. [OR]
RewriteCond %{HTTP_REFERER} .aol. [OR]
RewriteCond %{HTTP_REFERER} .hotbot. [OR]
RewriteCond %{HTTP_REFERER} .goto. [OR]
RewriteCond %{HTTP_REFERER} .infoseek. [OR]
RewriteCond %{HTTP_REFERER} .mamma. [OR]
RewriteCond %{HTTP_REFERER} .alltheweb. [OR]
RewriteCond %{HTTP_REFERER} .lycos. [OR]
RewriteCond %{HTTP_REFERER} .search. [OR]
RewriteCond %{HTTP_REFERER} .metacrawler. [OR]
RewriteCond %{HTTP_REFERER} .bing. [OR]
RewriteCond %{HTTP_REFERER} .yandex. [OR]
RewriteCond %{HTTP_REFERER} .rambler. [OR]
RewriteCond %{HTTP_REFERER} .mail. [OR]
RewriteCond %{HTTP_REFERER} .dogpile.
RewriteRule ^(.*)$ [URL...] of infectious website goes here/ [R=301,L]

Also, check all of your error pages. When the .htaccess file is corrupted, we usually find that the error pages (404.html, pagenotfound.html, etc.) is also infected and redirecting error pages to malicious sites. Determine how your site handles 404's and check all the webpages associated with that.

Download grepWin, if you're a Windows user, and if you have all your website files on your PC you can quickly find other infected files.

Check for the gibberish you found in that php file. It probably has this string in it:

eval(base64_decode

The hackers have also started obfuscating the php malscripts so search for:

strrev("edoced_46esab") as well. (this just does a string reverse on the code in quotes which is the same as the previous line).