Odd code added just before close body tag

Question

My client is reporting that code looking like this has been automatically added to the end of all PHP files (just before the close body tag):

<b1><!--J5qN2aS2eNoNycENgCAMAMCNqEoUnYZA04DRUgI1rC+f+xxwUdDQEuliwe5u3U+wzm3HBWMMkxpR0Qnmr2E2KAyDIqAUnQGM3H0NiXwUed67q6m5/t4jHpA=--></b1>

He tried manually deleting that line, but of course it reappears. Googleing returns very little:

• http://www.sitepoint.com/forums/showthread.php?t=652089

Can anyone help point us in the right direction? Anything particular to look for?

Answer 1

That looks like a encrypted base 64 encoded string.

J5qN2aS2eNoNycENgCAMAMCNqEoUnYZA04DRUgI1rC+f+xxwUdDQEuliwe5u3U+wzm3HBWMMkxpR0Qnmr2E2KAyDIqAUnQGM3H0NiXwUed67q6m5/t4jHpA=

Decoding doesn't seem to provide any useful information. I would assume the host is compromised.

One of my clients had a similar problem on one of his websites: turns out there was an upload form that didn't had proper file validation, a Perl script was uploaded and executed via the web server and gave the attacker almost root access to the server by creating a deamon.