Hi redwolfe_98,
Next to what Milos is reporting there (php.index hack via PHP script text) there is also a code hick-up here:
wXw.isestorino.it/view/js/lib/jquery.fancybox-1.2.1.js benign
[nothing detected] (script) wXw.isestorino.it/view/js/lib/jquery.fancybox-1.2.1.js
status: (referer=wXw.isestorino.it/)saved 14813 bytes 3b0c8a1aca2c185dc659f659a832369fef9fbffa
info: [iframe] wXw.isestorino.it/view/js/lib/
info: [img] wXw.isestorino.it/view/js/lib/
info: [decodingLevel=0] found JavaScript
suspicious:
Furthermore too excessive header info given to the world and attackers:
* Sitecheck Results
* Website details
* Blacklisting status
Web server details
Scan for: http://wXw.isestorino.it
Hostname: wXw.isestorino.it
IP address: 2.113.128.142
System Details:
Running on: Apache/2.2.16
System info: (Win32) mod_ssl/2.2.16 OpenSSL/0.9.8o PHP/5.3.2 mod_jk/1.2.30
Powered by: PHP/5.3.2
Web application details:
Google Analytics installed: UA-931122-11
They just have to look up exploits/vuln to attack your site.
Then consider this: https://www.virustotal.com/en/ip-address/2.113.128.142/information/
as the IP is shared by 49 domains: http://sameid.net/ip/2.113.128.142/ (greater risk on a general IP ban that way)
The message has already reached users here: http://forum.avira.com/wbb/index.php?page=Thread&threadID=156185
Detection of this backdoor reported here: http://v.virscan.org/PHP:Agent-PU%20[Trj].html
polonus