Today one of my PHP websites was hacked -- 3 times! I'm trying to figure out how it was done and prevent it from happening.
6 pages and 6 include files had the same script inserted at the start.
<?php eval(gz_deflate(base64_decode(...))); ?>
deflating it reveals that the script is supposed to redirect to an online pharmacy page.
Now ... how???
The server runs Ubuntu, apache2, and PHP5.
It happened at 6:35 this morning. Again at 12:15 and 3:15 this afternoon.
The changed files all had the same timestamp. It was the same set of files each time. So I believe this is scripted.
The FTP server log shows no activity at the time in question. The Apache log shows no unusual requests or query strings. The first time, auth.log showed that "nobody" had successfully done an su as root. I changed "nobody" to have a shell of /bin/false.
What else should I look for to determine the security hole being exploited?