Today I found one customer Typo3 website that would arbitrarily deliver white pages or pages without layout and menu. Each page had a "End HTML 3.51.197" in comment brackets attached that I never noticed before.
Digging into the problem, I found strange code in typo3conf/localconf.php. It looked like "error_reporting(0);eval(base64_decode('JGxMOXdGMW[...]));"
Deactivating the code solved the visible problems on the website. In order to prevent the site from being comprimised further, I changed all logins, made localconf.php read-only for the webserver user and deactivated the eval function in PHP, which is not in use anyway.
The interesting questions are:
- How did this code get there?
- What did it do or try to do?
The first question is hard to answer: I think, the hacker got the login somehow, maybe fished from a computer with malware on it. Within the backend, any user with administrative rights can change localconf. Another possibility would be that a vulnerable plugin was used for this.
For the second question, let's go for the code: You can download it under "more". This hack seems to be related to a wordpress hack. The code contains the string "HOSTING VASH NE PODDERZHIVAET ETO". If you google for it, there are some posts to that, for example http://blog.lauralemay.com/2012/01/hacked.html.
So I guess the purpose of this is to present spam links to search engines and users that have a search engine as referrer.