Today I found one customer Typo3 website that would arbitrarily deliver white pages or pages without layout and menu. Each page had a "End HTML 3.51.197" in comment brackets attached that I never noticed before.

Digging into the problem, I found strange code in typo3conf/localconf.php. It looked like "error_reporting(0);eval(base64_decode('JGxMOXdGMW[...]));"

Deactivating the code solved the visible problems on the website. In order to prevent the site from being comprimised further, I changed all logins, made localconf.php read-only for the webserver user and deactivated the eval function in PHP, which is not in use anyway.

The interesting questions are:

1. How did this code get there?
2. What did it do or try to do?

The first question is hard to answer: I think, the hacker got the login somehow, maybe fished from a computer with malware on it. Within the backend, any user with administrative rights can change localconf. Another possibility would be that a vulnerable plugin was used for this.

For the second question, let's go for the code: You can download it under "more". This hack seems to be related to a wordpress hack. The code contains the string "HOSTING VASH NE PODDERZHIVAET ETO". If you google for it, there are some posts to that, for example http://blog.lauralemay.com/2012/01/hacked.html.

So I guess the purpose of this is to present spam links to search engines and users that have a search engine as referrer.