Update: It seems a new version of the attack has been made using the .htaccess files. So, this guide might be outdated.
I was recently hacked by this website “sweepstakesandcontestsinfo.com” which was adding a little javascript just before </body> tag that was leading the visitors to download a malware filled flash player. I got to know about this when this particular finnish site was discussing about this (Thank god, I check stats).
Anyways, I did a little searching around. Seems that every single PHP file of mine was appended with the cheesy base64_encode’ed code.
My crappy webhost doesn’t provide SSH Access. I couldn’t use my favorite command line. So, had to write some PHP code. Though it’s not the most efficient script, does the job well.
Ok, Here’s how you get rid of it.
1) Extract and upload this to your root directory.
2) Open one of your PHP file, on the top you’ll have a code similar to <?php eval(base64_decode(‘shit’)); ?>, copy and paste it into the ‘replace.txt’ file.
3) Open yoursite.com/replace.php. It’ll take a few minutes. Scroll down, it would’ve replaced the malicious code.
And oh, you need to have File_SearchReplace PEAR package installed on your host for this script to work.
Also, Sucuri says that these website also do the same crap.
sokoloperkovuskeci.com
sweepstakesandcontestsnow.com
sweepstakesandcontestsinfo.com
sweepstakesandcontestsdo.com