Andy_Langton - 12:54 am on Sep 23, 2012 (gmt 0)

It's a heavily obfuscated script, which attempts to include the following file:

/home/username/widgetclick.com/widget/images/log/.%828E[snip]

First step is to try to identify any and all files associated with the hack. One way to do that is to search for files with the same creation date as lndex.php

lndex.php is likely shown because it is either the default index file on your server, or it was added as a DirectoryIndex directive in htaccess.
.

[edited by: Robert_Charlton at 4:28 am (utc) on Sep 23, 2012]

[edited by: Andy_Langton at 10:44 am (utc) on Sep 23, 2012]