How did it get there?I'm not entirely sure of the vulnerability that lets this hack in, but I do know that after being repeatedly hit with it for several weeks, I managed to stop it entirely after I updated my PHP configuration to forbid the fopen and file_get_contents functions from opening off-site URLs.
This seems to suggest that there was code somewhere on my site that was allowing a malicious user's script to execute on my server, which was able to then write the eval base 64 decode function calls into all of my PHP files. Since I have seen this happen to Wordpress users, it looks like Wordpress has the vulnerability in it somewhere.
How do I stop it?First, add the following lines to your php.ini file. Check with your hosting provider to find out if and how you can edit your php.ini file.
allow_url_fopen = off
allow_url_include = off
disable_functions = "apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode"
Once you've done this, REMOVE ALL INSTANCES OF THE MALICIOUS CODE FROM YOUR SITE. This attack tends to add the bad code to every PHP file on your site, so you might want to run a script to remove all occurrences of it. The bad code can still work even if you add those lines to your php.ini file, so it is imperative that you get rid of all of it as soon as possible.
If you use fopen or file_get_contents on your site, they might stop working after you make this change. If your web host has the CURL module installed with PHP, then you can use that to load off-site URLs.
The above changes will disable the functions that make PHP the most vulnerable. However, if your site depends on any of them, you will have to either find a different way to do it, or to enable the functions that you need.
Above all, NEVER use a variable in a call to a function like fopen or file get contents. Look for any places in your code where a malicious user could inject malicious code. Read more about how to prevent cross-site scripting (XSS) attacks.