I had opened a php folder from a friend's web host. I run it on mine to fix some bugs.

Then I tried attaching the code to be emailed and GMAIL stated that the attachment was infected by a virus.

Now I'm afraid if my Apache or OS (12.04) is infected.

I checked the php files and found a base64 encoded set of code being 'eval'd at the top of each and every php file. Just reversing it (echo with htmlspecialchars) showed some clue that there were sockets in use and something to do with permissions. And also there were two websites referred having .ru extensions.

Now I'm afraid if my Ubuntu system is affected or compromised.

Any advice please!

Here's my second run of rkhunter with the options:

sudo rkhunter --check --rwo Warning: The command '/usr/bin/unhide.rb' has been replaced by a script: /usr/bin/unhide.rb: Ruby script, ASCII text

Warning: Hidden directory found: /dev/.udev

Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs'