Is this a legit block of code or some kind of script attack?

Hi folks,

My site, was working fine until recently when it suddenly started to go wrong about 2 weeks ago. This happens just on the homepage of the site in IE 7 & 8, where the site layout and the main page background image are all messed up, but if you go to any other page (all pages use the same CSS files etc), the layout and background image are fine.

So I looked at the rendered source code and noticed that at the top of the index.php page (in ALL browsers) was this following code (actually placed before the initial DOCTYPE & HTML tags:



I then searched through every file making up the site (using my local development version) and couldn't find any matches at all, then eventually after doing a backup from the live version, I found the above code in the index.php file in the controllers folder.

Should that code be there? It doesn't appear on the same file in any earlier versions before the site got corrupted (I have checked my SVN repository going back the last 8 revisions), and since it has appeared, both AVG and Avast anti virus report a virus if a user goes to the sites index page and block the user from continuing, but the same AV programs don't report any issues if they go to a page that does NOT contain that block of code (i.e. the catalog page or a product page).

So is this code malicious? should it be there or am I worrying about nothing? Also can anyone shed any light on why in IE 7 & 8, my homepage is all messed up but any other page (same images, same CSS files) are all fine.

Any info provided will be greatly appreciated.

Cheers all.

Remove the code ASAP, its bad juju


Yep not nice code, I removed the script from all the index.php files in the controllers folder and sub-folders and it’s sorted everything out.

Thanks for answering, really don’t need no BAD JUJU on my patch…



I searched google for “KZVUImLQCh473YDef”

[url]Forums - Forums


Now there is an additional problem finding how that code got there… Change all your passwords. Still, it is possible that one of the files may contain a back door. Scan your folders for files modified/created around the date you suspect the infection took place. You need to open them and see if there is anything odd. It is not 100% proof method but is worthwhile anyway.

Then, I would daily monitor the site for a secondary infection, however, it might not be the same as the first one. Scan your computer files for viruses with other antiviruses, it is possible that yours might have missed something. Same goes for any person who can enter admin or ftp, ftp more likely source of infection though.

Plus, it is not “script attack” but an aftermath of a successful script attack.

Much better, all cleaned up for you :wink: