pinkgothic

@montoyamedia: the virus isn’t the code snippet, though it propagates that way; it’s an infection on someone’s computer. So, the first thing you should do is check yourself for malware, make sure you’re clean; when you’ve confirmed that, change your FTP password(s). Then clean out the infected files.

As for how to do it, you can write yourself a PHP script that’ll remove that particular <script>. Anything that descends through your directory structure and opens every applicable file will do, for example: https://beaver6813.com/2010/04/php-search-and-replace-directory-recursively/ (Note: I haven’t tested this, I can’t vouch for it, but note it only touches .php files; you’ll want to adjust if(substr_count($sub,'.php') to be something like if (in_array($sub, $files)) or comparable, with $files populated at the start of the script like:

$bases = array('index', 'home', 'default', 'auth', 'showthread');
$extensions = array('html', 'php', 'php5');
$files = array();
foreach ($bases as $base) {
  foreach ($extensions as $extension) {
    $files[] = $base . '.' . $extension;
  }
}

(Or just hardcode the array if you’d rather.)

Make sure you test your script in a sandbox first. If you run into trouble, try a website like stackoverflow for generic programming help. ??

Guys, just so you know, there’s a thread on Google Webmaster Central’ “Malware & hacked sites” forum, too, in case someone wants to take a look at that.

@amada: Thanks for the heads-up with your host, it’s somewhat ‘soothing’ to know it’s not an issue of a specific host, even if that implies a bigger problem.

(I should probably add this doesn’t look like a WordPress vulnerability, either, this happened to sites without WordPress, also. Most of the ones my friend had weren’t WordPress; three of them didn’t even share a webspace with a WordPress installation. My money is still on a gumblar derivate.)

…kingdom^. I’ll just shoot myself now.

Ack, a kindgom for an edit button! I forgot to add (albeit kind of obvious): If you sort your files in your FTP by date, then you can find the infected files easier, they’ll have timestamps denoting a change today.

May I ask who your host is? The sites of a friend of mine were infected, all hosted by Gridstar, hence the enquiry. (It’s unlikely that has anything to do with it, but right now we’re still trying to figure out what exactly happened).

Amada, first, check your computer for malware, then, when you’re certain you’re clean, change your website passwords (especially FTP, this may be a variant of gumblar); then, in your FTP, check every folder and subfolder and sub-subfolder (and so on) of your site, for these files:

• index.html
• index.php5
• auth.php
• index.php
• home.php
• showthread.php

If you edit them, you’ll find that they’ve had a <script> injected into them; in the PHP/PHP5 files, it’ll be the last line(s), after the ?>; in the HTML files, it’ll be just before the closing </body> tag – remove those. Be thorough about it – it’s tedious work, but it pays off.