Website virus

[bigginge]

I did a site for a customer selling energy efficient lighting using oCommerce software. He contacted me this morning saying one of his clients emailed 'I tried to get on your website and received a warning that it was packed
with Win 32 Katusha 0 virus.'. I googled this and it appears to be connected with a line that has appeared in the first line of every php file saying: '<?php /**/eval(base64_decode('aWYoZnVu................19fQ== ')); ?>. It appears on every php file I've looked at in the site, and there must be hundreds of them.
Can anyone shed more light on this for me please?

[jasonsplace]

It appears that your site was hacked. You may want to look up some articles on securing OSCommerce. Some of the things that you need to do:
Don't leave the admin panel in the default admin directory.
Use a second layer of security over the admin panel. You can do server authentication or limit IP addresses.
I'd also recommend removing the sections of the admin panel that can be used to edit site files.

Once that's done, you'll either have to restore the sites files from a backup if you have one or remove that line from every file. If you use a tool to mass remove the line then make sure that it doesn't leave a blank like at the top of the file. That will throw errors because the headers are being sent before they should be.

[bigginge]

Thanks for the advice. Actually I contacted the web providers and they removed the offending lines - but it didn't work at first as they left a blank line, as you said.
I'll take heed of the rest of your post.
Thanks again.