A good initial approximation to safety is had between the numbers of hackers out there and the numbers of actual customers you have in India or Mexico, let alone any returning from 119.226.239.74 although your Apache logs and your ftp logs would allow seeing when and for how long doing exactly what that quad-decimal was active.
[Below are the steps I just took through an hour in moving from suspicion to proof, including testing the infection for what it is. IT IS NOT INNOCUOUS: IT IS VICIOUS SOCIOPATHY WITH A LIVE VIRUS (READ ON). You're dealing with an unwelcome visit by a socipathic slug who should now be turned in to . . . Google itself for abusing its own gmail services to spread something that is actually virulent and even has a name.]
(1) The address is suspicious. The dns is truncated, and the parent has only these:
Mail Server 202.144.65.102 India Sifyinfranet SIFY INFRASTRUCTURE 202.144.65.0 202.144.65.254 Hostmaster Satyam Infoway Sify Limited,, Second Floor, Tidel Park,, No.4,Canal Bank Road,, Taramani, Chennai - 600113
ipadmin@sifycorp.com +91-44-22540770 +91-44-22540771 APNIC
Domain Name Server 202.144.63.12 India Sifyinfranet SIFY INFRASTRUCTURE 202.144.63.0 202.144.63.254 Hostmaster Satyam Infoway Sify Limited,, Second Floor, Tidel Park,, No.4,Canal Bank Road,, Taramani, Chennai - 600113
ipadmin@sifycorp.com +91-44-22540770 +91-44-22540771 APNIC
(2) The address is already considered suspicious. At
http://www.projecthoneypot.org/ip_119.226.239.74
"The Project Honey Pot system has detected behavior from the IP address consistent with that of a spam harvester. Below we've reported some other data associated with this IP. This interrelated data helps map spammers' networks and aids in law enforcement efforts."
(3) The address is already considered suspicious. At
http://spam-ip.com/find.php
"119.226.239.74 email
justin.webseo5005@gmail.com user user name - See more at:
http://spam-ip.com/find.php#sthash.W7DLNutd.dpuf"
(4) THE CODE IS PRIMA FACIE SUSPICIOUS. The linebreaks that you see in your initial post appear in text to be a space, linefeed, and tab. There are 30 of those. When those are found-and-replaced there are in those 30 instances FULLY 693 REPLACEMENTS! That's a piddling 23.1 characters PER LINE BREAK AND INDENT. Look at 'em, do you see 23.1 averaged characters' breadth in there? Noop. Worse, there are then STILL 30 TABS, which in turn when stripped collapse the text. THAT gets rid of your injection code. THAT CODE is virulent, it is called "screen lock", and while active it is fortunately an incompetent copy.
(5) THE CODE IS RECOGNIZABLE IN THE FIRST INSTANCE AS SUSPICIOUS. The resulting edited text should have a familiar ring to it relating to your opening post. Strip out the gibberish and you have yet another idiot promising money-back in incompetent English to put you number one in Google datadumps, but that's just a guise for spreading the virus:
Sqlinjection: /index.php?route=information/contact?variable_POST=hi lesbricoles team hope you are doing fine. i thought you might like to know some of the reasons why you are not getting enough totoanic traffic most often you stick to ad wtotos to get mtoto traffic which is quite expensive and the chances is high of getting a spam traffic as well. Alet me tell you that your website still does not totoanically rank on major search engine's first page for most of the popular keywords which means people searching for your products are not able to find your website and you are losing traffic. Asome of the major facttoto which can be overcome for your website to rank well in serp totoanically and increase your social media presence are seems like your website carries a lot of technical errtoto which prevents search engine to crawl and index your website properly. your website needs a proper keywtoto totoon and optimization. your website is not well furnished with enough quality and theme based back links. your website should be mtoto inclined towards social media promotion and a regular toto in major social netwtotos.%0D%0A5. missing quality web and promotion contents article blogs etc. which is preventing your website to gain mtoto authtototy and ranking in web market. Ain the present day scenario it's very essential to take a proper care of your website and keep it toto with fresh and totoginal contents. there are many additional improvements which can help your website to gain mtoto traffic and visibility. if you are interested to learn mtoto and curious to know how we can help you to improve your website to get a higher traffic%2C then i would be glad to provide you a detailed proposal for your website. Aour services include seo%2C reputation management smo for websites to make them popular in the web market. we have a dedicated google analytics certified team seo professionals who takes care of our campaign process. our clients consistently tell us that their customers find them because they are on the top of google. being on the top of google is the best thing you can do for your sales and online reputation. this email just tells you the fraction of things we do our optimization process involves many other technical facttoto which can be sent to you on your request. if you would like to know mtoto about our services then please write us back else you can give us a call us in our number mentioned below. this is our marketing strategy to use a gmail account. once you reply us back we will communicate with you through our ctotototote email id. Alet me know your thoughts and looking ftotoard to wtoto together. best regards justin taylor senior seo advisor Aph. no 320815-255-085500 skype seo.service this is a onetime email and you may ask us to remove if you are interested i will send details on our identity company profile why you should choose us price list money back etc. in my next mail.
(6) UPSHOT. Turn the bastard in to Google for posing as
justin.webseo5005@gmail.com and attempting to inject and spread a virulent but fortunately incompetent copy of a virus known as "screen lock" which is actually active. THAT is what the vast majority of the 631 mostly invisible characters were all about.
(7) UPSHOT. You innocently took a step the bastard counted upon.
(7)(A) IMMEDIATELY DELETE THE LIVE VIRULENT CODE IN YOUR INITIAL POST AND REPLACE IT WITH "[VIRULENT CODE DELETED]" -- that's one reason for posting a screenshot rather than alien code.
(7)(B) ABSOLUTELY DO NOT ATTEMPT TO OPEN THAT FILE, YOU RISK LOCKING YOUR MACHINE. YOUR ANTI-VIRAL SOFTWARE HAS ALREADY FAILED TO SEE IT.
(7)(C) IMMEDIATELY DELETE THE FILE ON YOUR OWN MACHINE from which you plucked the code in your opening post, USING A SECURE SHREDDER BY MALWAREBYTES OR NORTON OR ANYBODY.
(8) Now you can sleep tight tonight.