So I emerged from a fantastic vacation weekend to find all of my php sites not working. Each displaying the same simple error message:

“Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING, expecting ‘,’ or ‘;'”

After my initial 30 second panic attack subsided I did a little googling and came up with this site: https://www.geeked.info/web-site-hack-loading-microsotfcn/

I’m assuming this is a bot that crawls from site to site. I had websites hacked across three different servers.

Once hacked, the site should produce a tiny iFrame that redirects to microsotf.cn. Don’t visit the page. It will most certainly ruin your day – spyware, malware, whatever. The beauty is – wordpress sites don’t display the iFrame. They just wind up broken. Other sites however won’t appear very different at all and it will be nearly impossible to tell whether the site was hacked or not.

If you’re having this problem simply open the source of the page in question and look a block of code similar to this (either immediately following the body tag or at the very bottom of the source code.):

Website hack – microsotf.cn – WordPress

Delete the offending code – upload (backup the original first, just in case) and you’re back in business.

Thanks to Ed over at https://www.geeked.info/ for having the ONLY blog post I could find on the whole internet about the hack.

EDIT: 7/9/09 – It has happened again to one of my sites. Different block of code, different malware site being loaded – same basic poison/remedy. For those interested in learning how to block an ip address (or range of ip addresses) – click here.