Hello, We have a Linux based oscommerce website. Since yesterday someone has been injecting encrypted code into every .php file on our website (example: <?php /**/eval(base64_decode('encrypted code here')); ?>). We have tried to figure out what back door the person is using with no luck. We are in need of help and if anyone can figure out how this is happening and a suitable prevention, we are willing to pay. Please PM me if you can help and I will send you the details. Thanks in advance.
Do you own your server or your web site is hosted on shared server? If you are on shared server you have less option to investigate it from your end. You will need to update your host as soon as possible to find the root cause. Additionally, you can take following steps from your end: [1] Change your FTP users password. If possible use combination of special characters. [2] Upgrade all installed third party scripts in your web site. [3] If you are using third party template or module then make sure they are secure. [4] Scan the system to check possible virus/trojan/spyware infection from where you are uploading and managing your web site. Kailash
you can try to contact the user SecureCP. I had a similar problem and he cleaned and protected my server.
Kailash had some great ideas to get you started - you need to get that bad code out of there. Your choices are to find and remove it yourself, or hire someone (like me) to find and remove it for you. Be sure once clean to have someone lockdown that site a bit more for you.