I'm sure there are several approached to getting this done, I'm no expert in this, but one of my "clients" had this problem and each time he removed it it was back the next day.
It turned out that when I went over his folders and files and set the correct permissions the problem stopped. For more info have a look at http://en.wikipedia.org/wiki/Chmod
chmod is only protecting files from being modified by whatever method is being used. it isnt actually plugging the security vunerability that allowed it in the first place. Also chmod wont help you if your script is vunerable to injection by itself (and the permission the script is running under has write access), unless you set the files to read/execute only.
Ideally shared hosting enviroments should not allow users to modify other files on the server outside of their root path, if this is not the case trouble your host to correct it. If they arnt locked out of other users directories it will be possible for them to do possibly more things than inject a snippit of code into a php script, including obtaining usernames and passwords to your database stored in plaintext configuration files.
The most common method I have seen is the FTP credentials becoming compromised. This can be through brute force, especially with the commonly weak passwords most people use, or just through poor credential management (do you have yours on a sticky note attached to your monitor?). Make sure you approach the host about this issue and have *all* of your credentials changed, including FTP, shell access, control panel, etc. Any method configured for you to access the server should be updated with new credentials. Then go back through your content and remove the scripting.
chmod will only help you if you're on a weakly secured shared hosting server, in the sense that it can stop other people on the server from changing your files. But if your host doesn't work with the files being owned by your own account, other people will still be able to read them, and extract things like database credentials which they can then use to access your database.
Samething happened for one of my clients , each file of his wordpress instalaltion got that dumb in side at the begining , we found a php script that clean up all files and also remove empty lines
I think this is weak security of file manager or picture manager plugins in wysiwyg editors like TinyMCE
here is our case in old Mambo CMS installation
Make sure you ask your host to update your cPanel and PHP/MYSQL. Make sure that you update your PHP scripts as well. A lot of hosts probably don't follow the proper procedures in security as well unfortunately from what I have seen. As always, backup your site every week at least.
The people who create this code and hack it onto people's site are the most despicable of all internet criminals.
I believe I have a simple solution to this problem, at least to stop this scum from hurting your customers.
Their script finds every PHP file and prepends a chunk of PHP.
So use that against them. Include in every page as you would functions of a config file. If it's not in the same directory as your index file, obviously change the code to fit.
# this file should be less than 570 chars in length
//mail('youremail','Website compromised '.$_SERVER['HTTP_HOST'],'taken offline','FROM: youremail');
if (!file_exists('index.phpx')) rename('index.php','index.phpx');
// write this despite the existance of index.phpx in case they strike again
$fh = fopen('index.php', 'w') or die("can't open file");
fwrite($fh, 'Sorry, we are currently offline');
It turned out that when I went over his folders and files and set the correct permissions the problem stopped.
chmod is weak one may put php file to use php chmod function, it might be also changed by ftp
better solution is to use "chattr +i" but u need shell access or... php shell (if your hosting provider allows for exec(), system() etc...)
beside who ever heard of chattr? no one? so haxorz wannabe dont know about it too
This usually occurs because a computer that had FTP/cPanel access to the account picked up some malware which took stored credentials either from Firefox, IT, etc... or from popular FTP software password storage files (such as Filezilla's unencrypted password store) and used that to insert the code.
You should download MBAM (google it) and Avast/AVG/PrevX/etc and run them in full on any machine that has been compromised.
Then (and only then), clean the account and reset the password to something new.