I was recently contacted by a client that his AdWords were being rejected because of a malware infection of his site. I don't know how it got there, but the index.php of the site seemed to be infected by some kind of code that I hadn't seen before. I deleted the code without thinking about testing what it actually outputted, but I made a screenshot which I attached here.

I can't say whether this is a Couch problem or a "normal" infection by either the client's PC or via FTP (weak password probably). I instructed them to change all FTP passwords (since other sites are being hosted on the same FTP) and to contact their hosting partner for a scan or some kind of analysis. I think I'll let them scan their PCs for an infection as well. If anybody has any ideas I'd love to hear them

PS: Couch version in use is 1.3.5

[KK]

Hi Kris,

The code, as it appears in the screenshot, is clearly something 'injected'.

We've had only one such incidence reported previously - you can find the details at viewtopic.php?f=4&t=6923

I suspect the cause in this case is the same - in all probability your client's local system is infected and the compromised FTP creds are being used to 'inject' the code you see in PHP files.

In the last incidence that I quoted above, Couch's file were IonCube encrypted and so the injected code merely caused the entire script to fail. Now that the source files are in plain text, this code could cause real damage.

Do get the local systems thoroughly scanned.

If the server your site is hosted upon happens to be a shared server, the cause could even be located on some other client's site or machine. In which case, throw in the towel and move to a dedicated server asap as it is a hopeless battle.

Keep us posted.