Fixed Hacked Site – PHP injection

Today a customer called me about a PHP website that was popping up viruses all over the place.

I loaded up the site and there it was, the page was immediately redirected to a spyware / virus type site that tried to convince me to download their software to fix a problem. Since I knew better I carefully answered the browser prompts to make sure I closed out and left the page without opening anything malicious.
Then I went back to the page that had the problem and tried to load it again. But the problem was GONE!

After a bit more investigation I found that the people who wrote the virus dropped a cookie on my machine and made sure they allowed me back in the site. I am sure this trick helps them to keep the virus on a site for longer because the site administrators may not recognize it as an on going problem (or even a problem that their site caused).

In digging I found that each PHP page on the site had some PHP code added to the top of it.
something like

This was on a single line at the top of the file and even the administrator who had noticed the odd code at the top passed over it not thinking it was malicious.
However, the text inside the encoded string was VERY malicious. I decoded it and found several PHP functions and additional encoded strings.

I decided it wasnt worth figuring out what all they did with the code but instead decided to just clean it up. I assumed that the code probably helped replicate itself by checking that ALL other PHP pages on the site also had the same code in them. So if someone removed the code and then the code was run on another page it put itself back where you removed it.

Anyway, pretty sophisticated but it was easy for me to find the problem just opened and looked at the PHP file and saw code that shouldnt have been there.

A cool way that I found where the problem was before even opening the PHP file was to use HTTPWatch to see which exact files were downloaded from which site in the browser. I use the free version of the softwar and it has met all my needs so far. It is similar to firebug in FireFox.