It appears that somewhere between May 21st and May 28th, the index.php file for my site had a snippet of PHP code prepended to it. It appears to be tracking user agents, remote_addr, along with where they were going on my site....it also checks if the user agent contains google...and does something different for that.

Namely prepend a bunch of poorly formed html code that comes before my <!DOCTYPE ... > <html> tags. for the usual sites of sex and drugs.

It strangely only started doing this on January 6th, 2013....which is why it was so hard tracking down when the file had changed. I do weekly backups, and expire after 6 months....fortunately, some of the older backups were still in my system backups. The files had timestamps of Apr 1, 2012...but Apr 2 backup doesn't show any alteration.

Not sure if the timestamp is meaningful though....it was April 1, 2012 that I upgraded to 4.1.3, so its possible that's how it got the timestamp...though seems odd that I hadn't touched it since then. It appears I upgraded to 4.1.6 on November 26th.

Though it was January 6th that I made first post of the year to my blog....

Hmm.... wonder if there's some kind of automated tool that could be part of b2evolution to check for this.

I also found a directory of php, html and images for some kind of drug....in a a directory under my media directory on another b2evolution site...which is also 4.1.3, and hadn't been patched since.

Wonder if not doing 4.1.4 was the problem....it wasn't until September 30th that I went from 4.1.3 to 4.1.5b.

The Dreamer